Lucene search

Veracode Vulnerability DatabaseVERACODE:44375

HistoryNov 27, 2023 - 5:16 a.m.

Information Disclosure

2023-11-2705:16:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

storm-core

vulnerability

information disclosure

insecure permissions

file creation

unix-like systems

sensitive information

attacker

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

storm-core is vulnerable to Information Disclosure. The vulnerability exists because the createExtraPropertiesFile function in TopologySpoutLag.java creates a file with a predefined name (easily identifiable) and, by default, will create this file with insecure permissions (-rw-r--r--) on Unix-like systems. This allows an attacker to read sensitive information.

CPENameOperatorVersion
storm corele2.5.0
storm corele2.5.0

CPE	Name	Operator	Version
	storm core	le	2.5.0
	storm core	le	2.5.0

References

www.openwall.com/lists/oss-security/2023/11/23/1

github.com/advisories/GHSA-85p4-q357-72h9

github.com/apache/storm/commit/b778125a17ce7497d80aea1e339f3a282aeeb65a

lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l

www.openwall.com/lists/oss-security/2023/11/23/1

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for VERACODE:44375