{"id":"CVE-2018-1331","details":"In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 through 1.1.2, and 1.2.0 through 1.2.1, an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user.","aliases":["GHSA-p8jx-x2vw-wm33"],"modified":"2026-04-10T04:05:16.649650Z","published":"2018-07-10T17:29:00.213Z","references":[{"type":"ADVISORY","url":"http://storm.apache.org/2018/06/04/storm113-released.html"},{"type":"ADVISORY","url":"http://storm.apache.org/2018/06/04/storm122-released.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2018/07/10/4"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104732"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041273"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/storm","events":[{"introduced":"0"},{"last_affected":"d8e4a3b59e6a97165ff769f11c9d4d2d3ecbb9dc"},{"introduced":"dba655a47aaad74f26b9bb9a75fa52c0eedd8b1e"},{"last_affected":"7993db01580ce62d44866dc00e0a7266984638d0"},{"introduced":"0"},{"last_affected":"0bb7a66a9b26ad96afc81b27dd45f93ae8969c44"},{"introduced":"2a0097f9a20b9df494caadb87c87d4e4db01a7ed"},{"last_affected":"d156d25d991311eaa1f5131d3dc34787f87ce684"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.10.2"},{"introduced":"1.0.0"},{"last_affected":"1.0.6"},{"introduced":"0"},{"last_affected":"1.1.2"},{"introduced":"1.2.0"},{"last_affected":"1.2.1"}]}}],"versions":["0.9.0","0.9.0-rc1","0.9.0-rc2","0.9.0-rc3","0.9.0.1","PRE_SECURITY_MERGE","v0.10.0","v0.10.0-beta","v0.10.0-beta1","v0.10.1","v0.10.2","v0.9.1-incubating","v0.9.2-incubating","v0.9.3-rc1","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.1.0","v1.1.1","v1.1.2","v1.2.0","v1.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1331.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}