Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Mzk1LWhwcTktN3h3cs4AAXMW
Apache Geode unsafe deserialization in TcpServer
In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.
Permalink: https://github.com/advisories/GHSA-w395-hpq9-7xwrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Mzk1LWhwcTktN3h3cs4AAXMW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-w395-hpq9-7xwr, CVE-2017-15692
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15692
- https://github.com/apache/geode/pull/1166
- https://issues.apache.org/jira/browse/GEODE-3923
- https://lists.apache.org/thread/dctjhhjtomnsk625dj90dg4sgm438k0k
- https://github.com/advisories/GHSA-w395-hpq9-7xwr
Blast Radius: 25.1
Affected Packages
maven:org.apache.geode:geode-core
Dependent packages: 51Dependent repositories: 368
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0
All unaffected versions: 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1