CVE-2017-15692
CRITICALApache Geode < 1.4.0 - Remote Code Execution via TcpServer Deserialization
Title source: llmDescription
In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103205
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0466
EPSS Percentile
89.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
apache/geode
< 1.4.0
org.apache.geode/geode-core
1.0.0 - 1.4.0Maven
Published
Feb 27, 2018
Tracked Since
Feb 18, 2026