CVE-2022-34870 – Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
https://notcve.org/view.php?id=CVE-2022-34870
Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 https://lists.apache.org/thread/zltlr7f2ymr2m6jj54k4z0c4foos5fwx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-37023 – Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
https://notcve.org/view.php?id=CVE-2022-37023
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance. Apache Geode versiones anteriores a 1.15.0, son vulnerables a un fallo de deserialización de datos no confiables cuando es usada la API REST en Java versión 8 o Java versión 11. Cualquier usuario que desee protegerse contra los ataques de deserialización que implican las APIs REST debe actualizar a Apache Geode versión 1.15 y seguir la documentación para detalles sobre la habilitación de "validate-serializable-objects=true" y especificar cualquier clase de usuario que pueda ser serializada/de serializada con "serializable-object-filter". • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •
CVE-2022-37022 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
https://notcve.org/view.php?id=CVE-2022-37022
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. Apache Geode versiones hasta 1.12.2 y 1.13.2, son vulnerables a un fallo de deserialización de datos no confiables cuando es usado JMX sobre RMI en Java versión 11. • https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m • CWE-502: Deserialization of Untrusted Data •
CVE-2022-37021 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
https://notcve.org/view.php?id=CVE-2022-37021
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance. • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •
CVE-2021-34797 – Apache Geode project log file redaction of sensitive information vulnerability
https://notcve.org/view.php?id=CVE-2021-34797
Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0. Apache Geode versiones hasta 1.12.4 y la 1.13.4, son vulnerables a un fallo de redacción de información confidencial en el archivo de registro cuando son usados valores que comienzan con caracteres distintos a letras o números para las contraseñas y propiedades de seguridad con el prefijo "sysprop-", "javax.net.ssl" o "security-". Este problema es solucionado al revisar la redacción del archivo de registro en Apache Geode versiones 1.12.5, 1.13.5 y 1.14.0 • https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 https://lists.apache.org/thread/p4l0g49rzzzpn8yt9q9p0xp52h3zmsmk • CWE-532: Insertion of Sensitive Information into Log File •