CVE-2017-15693

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Geode
Vendor: CVE Published:; 27 February 2018

Summary

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

Affected Version(s)

Apache Geode 1.0.0 to 1.3.0

References

http://www.securityfocus.com/bid/103206

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 27, 2018
Vulnerability Reserved
Oct 21, 2017