Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Remediation

References

http://www.securityfocus.com/bid/103205

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2022-43435 Vulnerability in maven package org.jenkins-ci.plugins.plugin:fireline

CVE-2021-29480 Vulnerability in maven package io.ratpack:ratpack-session

CVE-2019-10298 Vulnerability in maven package org.jenkins-ci.plugins:koji

CVE-2022-41713 Vulnerability in npm package deep-object-diff

CVE-2019-10768 Vulnerability in maven package org.webjars.npm:angular

Severity

Critical

Classification

CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry