CVE-2022-37023

Apache Geode (prior to 1.15.0) is vulnerable to deserialization of untrusted data via REST APIs when running on Java 8 or Java 11. The root cause is untrusted data deserialization during REST operations, enabling attackers to potentially execute arbitrary code. Mitigation per the sources is to up...

CVE-2017-15693

Apache Geode prior to v1.4.0 stores objects in serialized form, and certain cluster operations and API invocations deserialize these objects. A user with DATA:WRITE access to the cluster may trigger remote code execution if certain classes are present on the classpath. The issue is rooted in unsa...

CVE-2017-9795

CVE-2017-9795 affects Apache Geode clusters running in secure mode prior to v1.3.0. A user with read access to specific regions can execute OQL queries that read/write objects in unauthorized regions and may invoke methods enabling remote code execution. The documents do not specify exploit vecto...

CVE-2017-15692

Summary: CVE-2017-15692 affects Apache Geode prior to v1.4.0. The TcpServer in the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the locator and certain classes are on the classpath, remote code execution may be possible. Exploitation status an...

CVE-2017-12622

Summary: Apache Geode gfsh authorization vuln allows an authenticated user to read status information and control cluster members via HTTP in clusters running a Geode version before 1.3.0, even without CLUSTER:MANAGE privileges. Affected product/version: Apache Geode; versions before 1.3.0. Impac...

CVE-2017-9796

CVE-2017-9796 affects Apache Geode prior to v1.3.0 when operating in secure mode. A user with read access to certain regions can have their OQL query bind parameter specify a region name, which may grant read access to objects in unauthorized regions. This is documented in multiple sources (GitHu...