CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34870 – Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
https://notcve.org/view.php?id=CVE-2022-34870
25 Oct 2022 — Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37023 – Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
https://notcve.org/view.php?id=CVE-2022-37023
31 Aug 2022 — Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.... • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 24%CPEs: 3EXPL: 0CVE-2022-37021 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
https://notcve.org/view.php?id=CVE-2022-37021
31 Aug 2022 — Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on speci... • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •