Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.0
Typemaven
Namespaceorg.apache.storm
Namestorm-metrics-prometheus
Version2.8.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.8.7
Latest_non_vulnerable_version2.8.7
Affected_by_vulnerabilities
0
url VCID-s55h-va9y-33cg
vulnerability_id VCID-s55h-va9y-33cg
summary 
Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter


Versions Affected: from 2.6.3 to 2.8.6


Description: 

In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.


The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.




Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40557
reference_id
reference_type
scores
0
value 0.0013
scoring_system epss
scoring_elements 0.31997
published_at 2026-06-06T12:55:00Z
1
value 0.0013
scoring_system epss
scoring_elements 0.3195
published_at 2026-06-09T12:55:00Z
2
value 0.0013
scoring_system epss
scoring_elements 0.31927
published_at 2026-06-08T12:55:00Z
3
value 0.0013
scoring_system epss
scoring_elements 0.32027
published_at 2026-06-05T12:55:00Z
4
value 0.0013
scoring_system epss
scoring_elements 0.31959
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40557
1
reference_url https://github.com/apache/storm
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/storm
2
reference_url https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:58:23Z/
url https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40557
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40557
4
reference_url http://www.openwall.com/lists/oss-security/2026/04/25/2
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/04/25/2
5
reference_url https://github.com/advisories/GHSA-82fm-wpc2-5pmp
reference_id GHSA-82fm-wpc2-5pmp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-82fm-wpc2-5pmp
fixed_packages
0
url pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.7
purl pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.7
aliases CVE-2026-40557, GHSA-82fm-wpc2-5pmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s55h-va9y-33cg
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.storm/storm-metrics-prometheus@2.8.0