GHSA-w395-hpq9-7xwr

Source

https://github.com/advisories/GHSA-w395-hpq9-7xwr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w395-hpq9-7xwr/GHSA-w395-hpq9-7xwr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w395-hpq9-7xwr

Aliases

CVE-2017-15692

Published

2022-05-14T03:35:52Z

Modified

2023-11-08T03:58:57.693647Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Geode unsafe deserialization in TcpServer

Details

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Database specific

{
    "nvd_published_at": "2018-02-27T15:29:00Z",
    "github_reviewed_at": "2022-11-08T14:32:59Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.apache.geode:geode-core

Package

Name: org.apache.geode:geode-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.geode/geode-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.4.0

Affected versions

1.*

1.0.0-incubating.M2

1.0.0-incubating.M3

1.0.0-incubating

1.1.0

1.1.1

1.2.0

1.2.1

1.3.0