CVE-2017-15693

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

Published: Feb 27, 2018
Updated: Nov 8, 2023
CVE: CVE-2017-15693
GHSA: GHSA-95m2-p98f-24r5
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
apache / geode	-	1.4.0
org.apache.geode / geode-core	1.0.0	1.4.0

http://www.securityfocus.com/bid/103206
https://github.com/apache/geode/pull/1166
https://issues.apache.org/jira/browse/GEODE-3923
https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E
https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d%40%3Cuser.geode.apache.org%3E

Vulnerability Database

289,689

CVE-2017-15693