Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NW0yLXA5OGYtMjRyNc4AAXMV
Apache Geode unsafe deserialization of application objects
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.
Permalink: https://github.com/advisories/GHSA-95m2-p98f-24r5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NW0yLXA5OGYtMjRyNc4AAXMV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-95m2-p98f-24r5, CVE-2017-15693
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15693
- https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E
- https://github.com/apache/geode/pull/1166
- https://issues.apache.org/jira/browse/GEODE-3923
- https://github.com/advisories/GHSA-95m2-p98f-24r5
Blast Radius: 19.2
Affected Packages
maven:org.apache.geode:geode-core
Dependent packages: 51Dependent repositories: 368
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0
All unaffected versions: 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1