CVE-2017-15693

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
7.5HIGH
EPSS
3.1%
top 13.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache GeodeApache Software Foundation Apache Geode
Timeline
PublishedFeb 27
Latest updateMay 14

Description

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDapache/geode< 1.4.0
Mavenorg.apache.geode:geode-core1.0.01.4.0
CVEListV5apache_software_foundation/apache_geode1.0.0 to 1.3.0

🔴Vulnerability Details

3
OSV
Apache Geode unsafe deserialization of application objects2022-05-14
GHSA
Apache Geode unsafe deserialization of application objects2022-05-14
CVEList
CVE-2017-15693: In Apache Geode before v12018-02-27
CVE-2017-15693 (HIGH CVSS 7.5) | In Apache Geode before v1.4.0 | cvebase.io