Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS13Mzk1LWhwcTktN3h3cs4AAXMW

Critical EPSS: 0.04372% (0.88494 Percentile) EPSS:
Permalink JSON

Apache Geode unsafe deserialization in TcpServer

Affected Packages Affected Versions Fixed Versions
maven:org.apache.geode:geode-core >= 1.0.0, < 1.4.0 1.4.0
51 Dependent packages
368 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0-incubating, 1.0.0-incubating.M2, 1.0.0-incubating.M3, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0

All unaffected versions

1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1, 1.15.2

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

References:

Identifiers

GHSA-w395-hpq9-7xwr

CVE-2017-15692

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.04372

EPSS Percentile: 0.88494

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/geode

Date and time

Published

over 3 years ago

Updated

almost 3 years ago

API

JSON