PT-2022-4604 · Apache · Apache Geode

Name of the Vulnerable Software and Affected Versions: Apache Geode versions up to 1.12.2 and 1.13.2 Description: The issue is related to the deserialization of untrusted data when using JMX over RMI on Java 11, which can allow a remote attacker to execute arbitrary code. This flaw affects the JM...

PT-2022-4605 · Apache · Apache Geode

Name of the Vulnerable Software and Affected Versions: Apache Geode versions prior to 1.15.0 Description: The issue is related to the restoration of untrusted data in memory through the REST API interface of the Apache Geode data management platform. This can allow a remote attacker to execute...

Apache Geode 代码问题漏洞

A remote code execution vulnerability exists in Apache Geode, the Apache Foundation's management platform for providing real-time and consistent access to data for data-intensive applications in distributed cloud architectures. An attacker could exploit this vulnerability to cause remote code...

Apache Geode information disclosure vulnerability

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the...

GHSA-2GW6-73WC-X88F Apache Geode information disclosure vulnerability

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the...

com.lightbend.akka:akka-stream-alpakka-geode_2.11 (>=0.10 <=2.0.2), com.lightbend.akka:akka-stream-alpakka-geode_2.12 (>=0.10 <=6.0.2) +59 more potentially affected by CVE-2017-9794 via org.apache.geode:geode-core (>=1.10.0 <=1.2.0)

org.apache.geode:geode-core MAVEN version =1.10.0, =0.10, =0.10, =2.0.0, =0.1.9, =2.4.0, =1.22.0, =1.14.0, =1.10.0, =1.10.0, =1.10.0, =1.12.0, =1.11.0, =1.15.4 and more Source cves: CVE-2017-9794 Source advisory: OSV:GHSA-37M3-QP37-X3C6...

Apache Geode gfsh query vulnerability

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing...

GHSA-37M3-QP37-X3C6 Apache Geode gfsh query vulnerability

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing...

Apache Geode gfsh authorization vulnerability

When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges...

GHSA-H22R-H77W-2G5F Apache Geode gfsh authorization vulnerability

When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges...

GHSA-Q7CP-R6CJ-HPF5 Apache Geode OQL bind parameter vulnerability

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions...

GHSA-G569-49WG-JX5F Apache Geode configuration request authorization vulnerability

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code...

Apache Geode configuration request authorization vulnerability

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code...

com.lightbend.akka:akka-stream-alpakka-geode_2.11 (>=0.10 <=2.0.2), com.lightbend.akka:akka-stream-alpakka-geode_2.12 (>=0.10 <=6.0.2) +71 more potentially affected by CVE-2017-15696 via org.apache.geode:geode-core (>=1.10.0 <=1.3.0)

org.apache.geode:geode-core MAVEN version =1.10.0, =0.10, =0.10, =2.0.0, =0.1.9, =2.4.0, =1.16.0, =1.14.0, =1.10.0, =1.10.0, =1.10.0, =1.12.0, =1.11.0, =1.15.4 and more Source cves: CVE-2017-15696 Source advisory: OSV:GHSA-G569-49WG-JX5F...

Apache Geode unsafe deserialization in TcpServer

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath...

GHSA-95M2-P98F-24R5 Apache Geode unsafe deserialization of application objects

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are...

Apache Geode unsafe deserialization of application objects

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are...

GHSA-W395-HPQ9-7XWR Apache Geode unsafe deserialization in TcpServer

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath...

GHSA-6M68-3W55-6MX4 Apache Geode OQL method invocation vulnerability

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote cod...

Apache Geode OQL method invocation vulnerability

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote cod...