CVE-2022-34870 – Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
https://notcve.org/view.php?id=CVE-2022-34870
Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 https://lists.apache.org/thread/zltlr7f2ymr2m6jj54k4z0c4foos5fwx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-37023 – Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
https://notcve.org/view.php?id=CVE-2022-37023
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance. Apache Geode versiones anteriores a 1.15.0, son vulnerables a un fallo de deserialización de datos no confiables cuando es usada la API REST en Java versión 8 o Java versión 11. Cualquier usuario que desee protegerse contra los ataques de deserialización que implican las APIs REST debe actualizar a Apache Geode versión 1.15 y seguir la documentación para detalles sobre la habilitación de "validate-serializable-objects=true" y especificar cualquier clase de usuario que pueda ser serializada/de serializada con "serializable-object-filter". • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •
CVE-2022-37021 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
https://notcve.org/view.php?id=CVE-2022-37021
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance. • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •