CVE-2017-15693 – org.apache.geode:geode-core

Package

Manager: maven
Name: org.apache.geode:geode-core
Vulnerable Version: >=1.0.0 <1.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.017 pctl0.81571

Details

Apache Geode unsafe deserialization of application objects In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

Metadata

Created: 2022-05-14T03:35:52Z
Modified: 2022-11-08T14:32:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-95m2-p98f-24r5/GHSA-95m2-p98f-24r5.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-95m2-p98f-24r5
Finding: F096
Auto approve: 1