CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-34870 – Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
https://notcve.org/view.php?id=CVE-2022-34870
25 Oct 2022 — Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37023 – Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
https://notcve.org/view.php?id=CVE-2022-37023
31 Aug 2022 — Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.... • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-37022 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
https://notcve.org/view.php?id=CVE-2022-37022
31 Aug 2022 — Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. Apa... • https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-37021 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
https://notcve.org/view.php?id=CVE-2022-37021
31 Aug 2022 — Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on speci... • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34797 – Apache Geode project log file redaction of sensitive information vulnerability
https://notcve.org/view.php?id=CVE-2021-34797
04 Jan 2022 — Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0. Apache Geode versiones hasta 1.12.4 y la 1.13.4, son vulnerables a un fallo de redacción de información confiden... • https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-15694
https://notcve.org/view.php?id=CVE-2017-15694
21 Jun 2019 — When an Apache Geode server versions 1.0.0 to 1.8.0 is operating in secure mode, a user with write permissions for specific data regions can modify internal cluster metadata. A malicious user could modify this data in a way that affects the operation of the cluster. Cuando un servidor Apache Geode versiones desde 1.0.0 hasta 1.8.0 está operando en modo seguro, un usuario con permisos de escritura para regiones de datos específicas puede modificar los metadatos del clúster interno. Un usuario malicioso podrí... • http://www.securityfocus.com/bid/108870 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2017-15695
https://notcve.org/view.php?id=CVE-2017-15695
13 Jun 2018 — When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege. Cuando un servidor de Apache Geode entre las versiones 1.0.0 y 1.4.0 está configurado con un gestor de seguridad, un usuario con privilegios DATA:WRITE puede implementar código mediante la invocación de una funci... • http://www.securityfocus.com/bid/104465 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-15693
https://notcve.org/view.php?id=CVE-2017-15693
27 Feb 2018 — In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. En Apache Geode, en versiones anteriores a la v1.4.0, el servidor Geode almacena objetos de aplicación de forma serializada. Ciertas operaciones del clúster e invocaciones de la API hacen que e... • http://www.securityfocus.com/bid/103206 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2017-15692
https://notcve.org/view.php?id=CVE-2017-15692
27 Feb 2018 — In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath. En Apache Geode, en versiones anteriores a la v1.4.0, el TcpServer en el localizador Geode abre un puerto de red que deserializa datos. Si un usuario sin privilegios obtiene acceso al localizador Geode, podría ser capaz de provocar la ejecuc... • http://www.securityfocus.com/bid/103205 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15696
https://notcve.org/view.php?id=CVE-2017-15696
26 Feb 2018 — When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code. Cuando un clúster de Apache Geode, en versiones anteriores a la v1.4.0, está operando en modo seguro, el servicio de configuración Geode no autoriza las peticiones de configuración correctamente. Esto permite que ... • https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •