GHSA-gjp8-99fv-cgcw

Source

https://github.com/advisories/GHSA-gjp8-99fv-cgcw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gjp8-99fv-cgcw/GHSA-gjp8-99fv-cgcw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gjp8-99fv-cgcw

Aliases

CVE-2025-47410

Published

2025-10-18T18:30:22Z

Modified

2025-11-05T21:07:47.975817Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

Details

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.

This issue affects Apache Geode: versions 1.10 through 1.15.1

Users are recommended to upgrade to version 1.15.2, which fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed_at": "2025-10-20T17:55:22Z",
    "nvd_published_at": "2025-10-18T16:15:35Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven / org.apache.geode:geode-web

Package

Name: org.apache.geode:geode-web; View open source insights on deps.dev
Purl: pkg:maven/org.apache.geode/geode-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.10.0

Fixed

1.15.2

Affected versions

1.*

1.10.0

1.11.0

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.15.0

1.15.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-gjp8-99fv-cgcw/GHSA-gjp8-99fv-cgcw.json"