Plataforma
java
Componente
org.apache.storm:storm-webapp
Corrigido em
2.8.6
2.8.6
CVE-2026-35565 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the Apache Storm web UI. This vulnerability allows an authenticated user with topology submission rights to inject malicious HTML or JavaScript code into the UI through crafted topology metadata, potentially leading to unauthorized actions or data theft. The vulnerability affects versions of Apache Storm up to and including 2.8.5, but a patch is available in version 2.8.6.
CVE-2026-35565 in Apache Storm UI introduces a stored Cross-Site Scripting (XSS) vulnerability. This occurs because the UI directly interpolates topology metadata, including component IDs, stream names, and grouping values, into HTML via innerHTML without any sanitization. An authenticated user with topology submission privileges could craft a malicious topology containing HTML/JavaScript in component identifiers. This allows an attacker to execute arbitrary JavaScript in the browsers of other users accessing the UI, potentially stealing session cookies, redirecting to malicious sites, or performing actions on behalf of the affected user. The CVSS score is 5.4, indicating a medium-level risk.
An attacker requires authentication and permissions to submit topologies to Apache Storm. Once the attacker submits a malicious topology, the malicious JavaScript code is stored in the UI's database or cache. When other users access the UI to view the topology, the JavaScript code executes in their browsers. The vulnerability is exploited by leveraging the lack of sanitization of topology metadata before it's inserted into the UI's HTML. The success of exploitation depends on the attacker's ability to create a topology containing malicious JavaScript that can be executed in the context of the target user.
Status do Exploit
EPSS
0.02% (percentil 4%)
Vetor CVSS
The primary mitigation for this vulnerability is to upgrade Apache Storm to version 2.8.6 or later. This version includes fixes to prevent the direct interpretation of topology metadata in HTML. As a temporary workaround, consider disabling topology visualization in the UI if it's not essential. Additionally, implement security policies that restrict topology submission privileges to trusted users, reducing the attack surface. Monitoring UI logs for suspicious activity can also help identify and respond to potential attacks.
Actualice a la versión 2.8.6 o superior para mitigar la vulnerabilidad. Si no es posible actualizar inmediatamente, aplique un parche a las funciones parseNode() y parseEdge() en el archivo JavaScript de la visualización para escapar HTML de todos los valores proporcionados por la API, incluyendo nodeId, :capacity, :latency, :component, :stream y :grouping, antes de interpolarlos en las cadenas HTML de la herramienta de información.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Version 2.8.6 includes a fix for this specific vulnerability, eliminating the risk of stored XSS.
The attacker needs authentication and permissions to submit topologies to Apache Storm.
If you are using a version of Apache Storm prior to 2.8.6, you are likely affected. Refer to the Apache Storm documentation for more information.
Implement security policies to restrict topology submission privileges and monitor UI logs.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.