Description

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Remediation

References

http://www.securityfocus.com/bid/103205

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2020-10992 Vulnerability in maven package com.linkedin.azkaban:azkaban-common

CVE-2022-31197 Vulnerability in maven package org.postgresql:postgresql

CVE-2019-15609 Vulnerability in npm package kill-port-process

CVE-2022-25646 Vulnerability in npm package x-data-spreadsheet

CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion

Severity

Critical

Classification

CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry