{"url":"http://public2.vulnerablecode.io/api/packages/1029865?format=json","purl":"pkg:maven/org.apache.storm/storm-metrics-prometheus@2.7.1","type":"maven","namespace":"org.apache.storm","name":"storm-metrics-prometheus","version":"2.7.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.8.7","latest_non_vulnerable_version":"2.8.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84137?format=json","vulnerability_id":"VCID-rfee-2pn5-nyan","summary":"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription: \n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40557","reference_id":"","reference_type":"","scores":[{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.3199","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40557"},{"reference_url":"https://github.com/apache/storm","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/storm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40557","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40557"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/04/25/2","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/04/25/2"},{"reference_url":"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq","reference_id":"f5bv68z1y5xstz22psjk05p3wn86knjq","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:58:23Z/"}],"url":"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"},{"reference_url":"https://github.com/advisories/GHSA-82fm-wpc2-5pmp","reference_id":"GHSA-82fm-wpc2-5pmp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-82fm-wpc2-5pmp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373846?format=json","purl":"pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.7"}],"aliases":["CVE-2026-40557","GHSA-82fm-wpc2-5pmp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rfee-2pn5-nyan"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-metrics-prometheus@2.7.1"}