{"id":"CVE-2021-38294","details":"A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.","aliases":["GHSA-6768-mcjc-8223"],"modified":"2026-04-12T01:57:34.793133Z","published":"2021-10-25T13:15:07.957Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r5fe881f6ca883908b7a0f005d35115af49f43beea7a8b0915e377859%40%3Cuser.storm.apache.org%3E"},{"type":"ADVISORY","url":"https://seclists.org/oss-sec/2021/q4/44"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/storm","events":[{"introduced":"dba655a47aaad74f26b9bb9a75fa52c0eedd8b1e"},{"fixed":"1bc944091b727e9a892bb36349231fcc57d9ea30"},{"introduced":"79fc9b3e6aeec623b42d165536a936d28f2b12f1"},{"fixed":"c5009d993ee049cd0b7c3fe0dad2fc8f700ddb5f"},{"introduced":"bf1986345de5de605abb4fc7b6051fce762bbca5"},{"fixed":"1d86ffd1adc1920e6788a76f017b2e2f873a7162"}],"database_specific":{"cpe":"cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"1.0.0"},{"fixed":"1.2.4"},{"introduced":"2.1.0"},{"fixed":"2.1.1"},{"introduced":"2.2.0"},{"fixed":"2.2.1"}]}}],"versions":["v1.0.0","v1.0.1","v1.1.0","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v2.1.0","v2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-38294.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}