Vulnerability Details CVE-2017-15693
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 79.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.0
References
- http://www.securityfocus.com/bid/103206
- https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d%40%3Cuser.geode.apache.org%3E
- http://www.securityfocus.com/bid/103206
- https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d%40%3Cuser.geode.apache.org%3E
Products affected by CVE-2017-15693
-
cpe:2.3:a:apache:geode:1.0.0
-
cpe:2.3:a:apache:geode:1.1.0
-
cpe:2.3:a:apache:geode:1.1.1
-
cpe:2.3:a:apache:geode:1.2.0
-
cpe:2.3:a:apache:geode:1.2.1
-
cpe:2.3:a:apache:geode:1.3.0