Apache Geode project log file redaction of sensitive information vulnerability
Description
Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode fails to redact passwords and security properties when their values start with non-alphanumeric characters.
Vulnerability
An information disclosure vulnerability in Apache Geode versions up to 1.12.4 and 1.13.4 allows sensitive values such as passwords and security properties to appear in cleartext in log files. The flaw occurs when the values begin with characters other than letters or numbers and when the property key uses the prefixes sysprop-, javax.net.ssl, or security- [1].
Exploitation
An attacker with access to Apache Geode log files can retrieve sensitive information that should have been redacted. No special network position or authentication is required beyond access to the logs themselves; the conditions are met automatically when the affected properties are configured with the specified prefixes and non-standard starting characters [1].
Impact
Successful exploitation leads to the exposure of sensitive configuration data, including passwords and SSL-related secrets, to anyone who can read the Geode log files. This compromises the confidentiality of the system and can enable further attacks [1].
Mitigation
The vulnerability is fixed in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0 [1]. Upgrading to one of these versions resolves the issue. No workarounds are documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.12.5 | 1.12.5 |
org.apache.geode:geode-coreMaven | >= 1.13.0, < 1.13.5 | 1.13.5 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mw25-f5r2-hpc6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-34797ghsaADVISORY
- lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4ghsax_refsource_MISCWEB
- lists.apache.org/thread/p4l0g49rzzzpn8yt9q9p0xp52h3zmsmkghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.