Moderate severityNVD Advisory· Published Aug 31, 2022· Updated Aug 3, 2024
Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
CVE-2022-37023
Description
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.15.0 | 1.15.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-72x9-48mc-phh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37023ghsaADVISORY
- lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfjghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.