CVE-2022-37023

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-37023

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37023.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-37023

Aliases

GHSA-72x9-48mc-phh6

Published

2022-08-31T07:15:07Z

Modified

2025-09-19T14:06:00.674731Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.

References

https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj

Affected packages

Git / github.com/apache/geode

Affected ranges

Type: GIT
Repo: https://github.com/apache/geode
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1869f2c06681bb73de727d2080d76c6215db9fb9

Affected versions

Other

develop/highwater

sga2-core

rel/v1.*

rel/v1.0.0-incubating

rel/v1.0.0-incubating.M1

rel/v1.0.0-incubating.M2

rel/v1.0.0-incubating.M3

rel/v1.1.0

rel/v1.1.1

rel/v1.2.0

rel/v1.2.1

rel/v1.3.0

rel/v1.4.0

rel/v1.5.0

rel/v1.6.0

rel/v1.7.0

rel/v1.8.0

rel/v1.9.0

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "271565698906081870400169871511662208430",
                    "176187584659808302530788165325360213355",
                    "134880645845953282268972577247585880031",
                    "53295455689425563555996461759800583693",
                    "70083092266538896607488590401427580807",
                    "289021059350922040194240575560381792757",
                    "10829721629913145967682247146006937839",
                    "305238111899125501357639011755052031703",
                    "93335574219089873899986001117433296606",
                    "314749251526121229644009105875443066679",
                    "164254472352684605065835893787591616778",
                    "310113726972266865595363195125320584944",
                    "329861190717333577342179465029766201288",
                    "7284826531753941901750520790015254528",
                    "69758159662841269769156527668657038799",
                    "114393473920070319626796743782660078873",
                    "116252813271263944326105403300875878227",
                    "275776104964228786121551553639020523464",
                    "268677713687836665472361218880504497278",
                    "291620291836338604326870964666082246575",
                    "304876704896918746566785673531662587337",
                    "892111163148490529540875392021719412",
                    "284626310180379447834987912419466098288"
                ]
            },
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9",
            "id": "CVE-2022-37023-809662cb",
            "signature_version": "v1",
            "target": {
                "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java"
            }
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "279118738397569944925485559297762383710",
                    "65322130819880844940466556451331768114",
                    "277682453534267293812759125465126622376",
                    "301472015557760709901877389848514072764",
                    "319421240591323641868920876121877197410",
                    "238359394992625475952054164253364297180",
                    "4410955819757281567268618184541616251",
                    "223043664404684175555379802953565586640"
                ]
            },
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9",
            "id": "CVE-2022-37023-84bd298c",
            "signature_version": "v1",
            "target": {
                "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java"
            }
        },
        {
            "digest": {
                "function_hash": "137852228223487124481135004770762797359",
                "length": 1321.0
            },
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9",
            "id": "CVE-2022-37023-97ffb935",
            "signature_version": "v1",
            "target": {
                "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java",
                "function": "before"
            }
        },
        {
            "digest": {
                "function_hash": "327511076890806405506015692481445654339",
                "length": 105.0
            },
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9",
            "id": "CVE-2022-37023-98869495",
            "signature_version": "v1",
            "target": {
                "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java",
                "function": "notifyReAuthentication"
            }
        }
    ]
}