CVE-2017-15692

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
4.7%
top 10.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache GeodeApache Software Foundation Apache Geode
Timeline
PublishedFeb 27
Latest updateMay 14

Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/geode< 1.4.0
Mavenorg.apache.geode:geode-core1.0.01.4.0
CVEListV5apache_software_foundation/apache_geode1.0.0 to 1.3.0

🔴Vulnerability Details

3
OSV
Apache Geode unsafe deserialization in TcpServer2022-05-14
GHSA
Apache Geode unsafe deserialization in TcpServer2022-05-14
CVEList
CVE-2017-15692: In Apache Geode before v12018-02-27
CVE-2017-15692 (CRITICAL CVSS 9.8) | In Apache Geode before v1.4.0 | cvebase.io