CVE-2022-37023

2022-08-3107:15:07

CWE-502

[email protected]

web.nvd.nist.gov

403

cve-2022-37023

apache geode

deserialization

rest api

vulnerability

java 8

java 11

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

39.7%

JSON

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling “validate-serializable-objects=true” and specifying any user classes that may be serialized/deserialized with “serializable-object-filter”. Enabling “validate-serializable-objects” may impact performance.

Affected configurations

Vulners

NVD

Node

apachegeodeRange≤1.15.0

CPENameOperatorVersion
apache:geodeapache geodelt1.15.0

CPE	Name	Operator	Version
apache:geode	apache geode	lt	1.15.0

CNA Affected

[
  {
    "platforms": [
      "Java 8 or 11"
    ],
    "product": "Apache Geode",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.15.0",
        "status": "affected",
        "version": "Apache Geode",
        "versionType": "custom"
      }
    ]
  }
]