CVE-2019-0202
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.
Known Affected Software
2 configuration(s) from 1 vendor(s)
storm
Version:
0.9.2
CPE:
cpe:2.3:a:apache:storm:0.9.2:incubating:*:*:*:*:*:*
storm
Version:
0.9.1
CPE:
cpe:2.3:a:apache:storm:0.9.1:incubating:*:*:*:*:*:*
This vulnerability affects 2 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3Esecurity@apache.org
-
https://lists.apache.org/thread.html/220f1a77ff20749326a4c130446c5521db854da0afe81d1974b8109f%40%3Cuser.storm.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
- Description
- The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- Exploit Likelihood
- High
- Typical Severity
- Medium
- Abstraction Level
- Class
Key Information
- Published Date
- July 26, 2019
