
CVE-2022-34870 – Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
https://notcve.org/view.php?id=CVE-2022-34870
25 Oct 2022 — Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región • http://www.openwall.com/lists/oss-security/2022/10/24/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2022-37023 – Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
https://notcve.org/view.php?id=CVE-2022-37023
31 Aug 2022 — Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.... • https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj • CWE-502: Deserialization of Untrusted Data •

CVE-2022-37022 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
https://notcve.org/view.php?id=CVE-2022-37022
31 Aug 2022 — Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. Apa... • https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m • CWE-502: Deserialization of Untrusted Data •

CVE-2022-37021 – Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
https://notcve.org/view.php?id=CVE-2022-37021
31 Aug 2022 — Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on speci... • https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr • CWE-502: Deserialization of Untrusted Data •

CVE-2021-34797 – Apache Geode project log file redaction of sensitive information vulnerability
https://notcve.org/view.php?id=CVE-2021-34797
04 Jan 2022 — Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0. Apache Geode versiones hasta 1.12.4 y la 1.13.4, son vulnerables a un fallo de redacción de información confiden... • https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 • CWE-532: Insertion of Sensitive Information into Log File •

CVE-2019-10091
https://notcve.org/view.php?id=CVE-2019-10091
16 Mar 2020 — When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack. Cuando TLS está habilitado con ssl-endpoint-identification-enabled establecido en verdadero, Apache Geode presenta un fallo al realizar la verificación del nombre de host de las entradas en el certificado SAN durante el protocolo de enlac... • https://lists.apache.org/thread.html/r3342077ac4798631300366be86e545d0c08753cca8fd2663867fe200%40%3Cdev.geode.apache.org%3E • CWE-295: Improper Certificate Validation •