Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This...

CVE-2025-47410

Apache Geode CVE-2025-47410: CSRF via GET requests to the Management and Monitoring REST API can allow an attacker to trick a logged-in user into submitting commands on behalf of that user. Affected versions are 1.10–1.15.1; remediation is to upgrade to 1.15.2. Public references corroborate the i...

GHSA-37M3-QP37-X3C6 Apache Geode gfsh query vulnerability

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing...

CVE-2016-9885

An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh Geode Shell endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are...