CVE-2020-1938

CVE-2020-1938 (Tomcat AJP vulnerability) : The issue affects Apache Tomcat where the AJP Connector, enabled by default in several legacy releases, could be reached through untrusted networks. An attacker could exploit the configured AJP path to read arbitrary files in the web application and pote...

CVE-2019-15752

CVE-2019-15752 affects Docker Desktop Community Edition prior to 2.1.0.1. A local attacker can escalate privileges by placing a Trojan horse docker-credential-wincred.exe in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, then rely on an admin/service user authenticating with Do...

CVE-2022-37023

Apache Geode (prior to 1.15.0) is vulnerable to deserialization of untrusted data via REST APIs when running on Java 8 or Java 11. The root cause is untrusted data deserialization during REST operations, enabling attackers to potentially execute arbitrary code. Mitigation per the sources is to up...

CVE-2017-15694

CVE-2017-15694 affects Apache Geode server versions 1.0.0–1.8.0 when operating in secure mode. A user with write permissions for specific data regions can modify internal cluster metadata, with the malicious action potentially affecting cluster operation. The root cause is described as unauthoriz...

CVE-2019-14892

CVE-2019-14892 — In jackson-databind, polymorphic deserialization can be exploited via JNDI gadgets (commons-configuration 1/2) to achieve remote code execution. Affected: jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3. Remediation: upgrade to a fixed jackson-databind release (e.g...

CVE-2017-15693

Apache Geode prior to v1.4.0 stores objects in serialized form, and certain cluster operations and API invocations deserialize these objects. A user with DATA:WRITE access to the cluster may trigger remote code execution if certain classes are present on the classpath. The issue is rooted in unsa...

CVE-2022-37022

CVE-2022-37022 affects Apache Geode up to versions 1.12.2 and 1.13.2, where deserialization of untrusted data is possible when using JMX over RMI on Java 11. The underlying issue enables a remote attacker to trigger deserialization via JMX/RMI, with high impact on confidentiality, integrity, and ...

CVE-2017-9794

The CVE-2017-9794 entry describes an information-disclosure flaw in Apache Geode prior to version 1.2.1: when a cluster runs in secure mode, a user with read access to certain data regions can use the gfsh CLI to run queries, and query results may include data from another user’s concurrent gfsh ...

CVE-2017-9797

The vulnerability CVE-2017-9797 affects Apache Geode clusters running versions prior to 1.2.1 in secure mode. An unauthenticated client can enter multi-user authentication mode and send metadata messages, which can disclose information about application data types and enable a denial-of-service a...

CVE-2017-9795

CVE-2017-9795 affects Apache Geode clusters running in secure mode prior to v1.3.0. A user with read access to specific regions can execute OQL queries that read/write objects in unauthorized regions and may invoke methods enabling remote code execution. The documents do not specify exploit vecto...

CVE-2019-10091

CVE-2019-10091 affects Apache Geode. When TLS is enabled and ssl-endpoint-identification-enabled is true, Geode may fail to verify hostnames in the certificate SAN during the SSL handshake, enabling potential man-in-the-middle scenarios and compromising intra-cluster communications. The issue is ...

CVE-2022-37021

Apache Geode is vulnerable to deserialization of untrusted data when using JMX over RMI on Java 8 in versions up to 1.12.5, 1.13.4, and 1.14.0. The advised fix is to upgrade to Geode 1.15 with Java 11. If Java 11 is not possible, upgrade to Geode 1.15 and start Locators/Servers with --J=-Dgeode.e...

CVE-2022-34870

CVE-2022-34870 : Concrete details from connected records show that Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using the Pulse web application to view Region entries. The underlying issue is described as an XSS in the Pulse data-inject...

CVE-2014-0048

CVE-2014-0048 affects Docker before 1.6.0. The issue is that some programs and scripts in Docker were downloaded via HTTP and then executed or used in unsafe ways, enabling potential exposure of data or control depending on use. Multiple sources (NVD, OSV, OSV Ubuntu, Nessus/NASL) corroborate thi...

CVE-2017-15692

Summary: CVE-2017-15692 affects Apache Geode prior to v1.4.0. The TcpServer in the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the locator and certain classes are on the classpath, remote code execution may be possible. Exploitation status an...

CVE-2021-34797

CVE-2021-34797 affects Apache Geode up to 1.12.4 and 1.13.4, where log file redaction mishandles values starting with non-alphanumeric characters for passwords and security properties prefixed with “sysprop-”, “javax.net.ssl”, or “security-”. This could lead to sensitive information being written...

CVE-2017-12622

Summary: Apache Geode gfsh authorization vuln allows an authenticated user to read status information and control cluster members via HTTP in clusters running a Geode version before 1.3.0, even without CLUSTER:MANAGE privileges. Affected product/version: Apache Geode; versions before 1.3.0. Impac...

CVE-2017-15695

CVE-2017-15695 affects Apache Geode server versions 1.0.0–1.4.0 when configured with a security manager. A user with the privileges DATA:WRITE can deploy code by invoking an internal Geode function, enabling remote code execution. The proper restriction is that code deployment should be limited t...

CVE-2017-15696

The CVE-2017-15696 entry affects Apache Geode before v1.4.0. In secure mode, the Geode configuration service fails to properly authorize configuration requests, allowing an unprivileged user with access to a Geode locator to extract configuration data and previously deployed application code. Con...

CVE-2017-9796

CVE-2017-9796 affects Apache Geode prior to v1.3.0 when operating in secure mode. A user with read access to certain regions can have their OQL query bind parameter specify a region name, which may grant read access to objects in unauthorized regions. This is documented in multiple sources (GitHu...

CVE-2017-5649

CVE-2017-5649 affects Apache Geode prior to 1.1.1. When a cluster has security-manager enabled, remote authenticated users with CLUSTER:READ but not DATA:READ can access the data browser page in Pulse and run an OQL query, exposing data stored in the cluster. The vulnerability is demonstrated by ...

CVE-2025-47410

Apache Geode CVE-2025-47410: CSRF via GET requests to the Management and Monitoring REST API can allow an attacker to trick a logged-in user into submitting commands on behalf of that user. Affected versions are 1.10–1.15.1; remediation is to upgrade to 1.15.2. Public references corroborate the i...

CVE-2024-44088

Apache Geode web-api (REST) is affected by a Cross-site Scripting (XSS) vulnerability that can be exploited when a logged-in user is tricked into clicking a crafted link, potentially enabling code execution on the victim page and leading to session information theft or account takeover. All Geode...