Apache Geode
23 CVEs affecting Apache Geode. Latest disclosed: 2025-10-18. Critical: 5, High: 11.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-37021 | Critical | 9.8 | 2022-08-31 | Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user st… |
CVE-2019-14892 | Critical | 9.8 | 2020-03-02 | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious obj… |
CVE-2020-1938 | Critical | 9.8 | 2020-02-24 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having hig… |
CVE-2014-0048 | Critical | 9.8 | 2020-01-02 | An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways. |
CVE-2017-15692 | Critical | 9.8 | 2018-02-27 | In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the… |
CVE-2025-47410 | High | 8.8 | 2025-10-18 | Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user i… |
CVE-2022-37022 | High | 8.8 | 2022-08-31 | Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing t… |
CVE-2017-15695 | High | 8.8 | 2018-06-13 | When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invok… |
CVE-2019-15752 | High | 7.8 | 2019-08-28 | Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMD… |
CVE-2021-34797 | High | 7.5 | 2022-01-04 | Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters… |
CVE-2017-15693 | High | 7.5 | 2018-02-27 | In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objec… |
CVE-2017-15696 | High | 7.5 | 2018-02-26 | When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. Thi… |
CVE-2017-9795 | High | 7.5 | 2018-01-10 | When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL quer… |
CVE-2017-5649 | High | 7.5 | 2017-04-04 | Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ bu… |
CVE-2019-10091 | High | 7.4 | 2020-03-16 | When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate… |
CVE-2017-12622 | High | 7.1 | 2018-01-10 | When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the… |
CVE-2022-37023 | Medium | 6.5 | 2022-08-31 | Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to… |
CVE-2017-15694 | Medium | 6.5 | 2019-06-21 | When an Apache Geode server versions 1.0.0 to 1.8.0 is operating in secure mode, a user with write permissions for specific data regions can modify internal cl… |
CVE-2017-9797 | Medium | 6.5 | 2017-10-03 | When an Apache Geode cluster before v1.2.1 is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata me… |
CVE-2024-44088 | Medium | 6.1 | 2025-10-14 | Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in… |