Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Remediation

References

http://www.securityfocus.com/bid/103205

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2022-39396 Vulnerability in npm package parse-server

CVE-2019-1003028 Vulnerability in maven package org.jenkins-ci.plugins:jms-messaging

CVE-2020-2192 Vulnerability in maven package org.jenkins-ci.plugins:swarm-plugin

CVE-2016-10610 Vulnerability in npm package unicode-json

CVE-2018-8014 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Critical

Classification

CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry