CVE-2017-15692

CRITICAL9.8EPSS 4.7%

Apache Geode unsafe deserialization in TcpServer

Published: 5/14/2022Modified: 11/8/2023

Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Affected packages (1)

Maven/org.apache.geode:geode-core>= 1.0.0, < 1.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15692
WEBhttps://github.com/apache/geode/pull/1166
WEBhttps://issues.apache.org/jira/browse/GEODE-3923
WEBhttps://lists.apache.org/thread/dctjhhjtomnsk625dj90dg4sgm438k0k