6 results (0.002 seconds)

CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0

25 Oct 2022 — Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

31 Aug 2022 — Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.... • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0

31 Aug 2022 — Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. Apa... • https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m • CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0

31 Aug 2022 — Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on speci... • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

04 Jan 2022 — Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0. Apache Geode versiones hasta 1.12.4 y la 1.13.4, son vulnerables a un fallo de redacción de información confiden... • https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

16 Mar 2020 — When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack. Cuando TLS está habilitado con ssl-endpoint-identification-enabled establecido en verdadero, Apache Geode presenta un fallo al realizar la verificación del nombre de host de las entradas en el certificado SAN durante el protocolo de enlac... • https://lists.apache.org/thread.html/r3342077ac4798631300366be86e545d0c08753cca8fd2663867fe200%40%3Cdev.geode.apache.org%3E • CWE-295: Improper Certificate Validation •