Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Remediation

References

http://www.securityfocus.com/bid/103205

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.11

CVE-2015-2918 Vulnerability in maven package com.orientechnologies:orientdb-studio

CVE-2019-20921 Vulnerability in npm package bootstrap-select

CVE-2017-12619 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2018-3728 Vulnerability in maven package org.webjars.npm:hoek

Severity

Critical

Classification

CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry