SCA: security update for org.apache.storm:storm-webapp (GHSA-f2hp-qw27-8wfq)

medium Tenable Cloud Security Plugin ID 440411

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected:
before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including
component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and
parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could
craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing
an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js
tooltip rendering, resulting in stored cross-site scripting. In multi-tenant deployments where topology
submission is available to less-trusted users but the UI is accessed by operators or administrators, this
enables privilege escalation through script execution in an admin's browser session. Mitigation: 2.x users
should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and
parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values
including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into
tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus
ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.
Credit: This issue was discovered while investigating another report by K. (CVE-2026-35565)

Solution

Update the org.apache.storm:storm-webapp library and its related packages to version 2.8.6 or later.

See Also

https://github.com/advisories/GHSA-f2hp-qw27-8wfq

Plugin Details

Severity: Medium

ID: 440411

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-35565

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/13/2026

Vulnerability Publication Date: 4/13/2026

Reference Information

CVE: CVE-2026-35565

cwe: CWE-79