CVE-2017-15692 – org.apache.geode:geode-core

Package

Manager: maven
Name: org.apache.geode:geode-core
Vulnerable Version: >=1.0.0 <1.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04594 pctl0.88822

Details

Apache Geode unsafe deserialization in TcpServer In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Metadata

Created: 2022-05-14T03:35:52Z
Modified: 2022-11-08T14:32:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w395-hpq9-7xwr/GHSA-w395-hpq9-7xwr.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-w395-hpq9-7xwr
Finding: F096
Auto approve: 1