Publish Advisories

GHSA-2gw6-73wc-x88f
GHSA-37m3-qp37-x3c6
GHSA-6m68-3w55-6mx4
GHSA-95m2-p98f-24r5
GHSA-g569-49wg-jx5f
GHSA-h22r-h77w-2g5f
GHSA-jmg4-x4vp-6c6x
GHSA-q7cp-r6cj-hpf5
GHSA-vh98-fqfc-4hj3
GHSA-w395-hpq9-7xwr
GHSA-5r3h-c3r7-9w4h

advisories/unreviewed/2022/05/GHSA-2gw6-73wc-x88f/GHSA-2gw6-73wc-x88f.json → advisories/github-reviewed/2022/05/GHSA-2gw6-73wc-x88f/GHSA-2gw6-73wc-x88f.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-2gw6-73wc-x88f",
-  "modified": "2022-05-17T02:50:39Z",
+  "modified": "2022-11-08T14:33:24Z",
   "published": "2022-05-17T02:50:39Z",
   "aliases": [
     "CVE-2017-5649"
   ],
+  "summary": "Apache Geode information disclosure vulnerability",
   "details": "Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.",
   "severity": [
     {
@@ -14,7 +15,28 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.1.0"
+            },
+            {
+              "fixed": "1.1.1"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "1.1.0"
+      ]
+    }
   ],
   "references": [
     {
@@ -24,17 +46,13 @@
     {
       "type": "WEB",
       "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w@mail.gmail.com%3e"
-    },
-    {
-      "type": "WEB",
-      "url": "http://www.securityfocus.com/bid/97378"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-200"
     ],
     "severity": "HIGH",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }

advisories/unreviewed/2022/05/GHSA-37m3-qp37-x3c6/GHSA-37m3-qp37-x3c6.json → advisories/github-reviewed/2022/05/GHSA-37m3-qp37-x3c6/GHSA-37m3-qp37-x3c6.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-37m3-qp37-x3c6",
-  "modified": "2022-05-17T00:34:39Z",
+  "modified": "2022-11-08T14:34:53Z",
   "published": "2022-05-17T00:34:39Z",
   "aliases": [
     "CVE-2017-9794"
   ],
+  "summary": "Apache Geode gfsh query vulnerability",
   "details": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.2.1"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -23,14 +42,18 @@
     },
     {
       "type": "WEB",
-      "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw@mail.gmail.com%3e"
+      "url": "https://issues.apache.org/jira/browse/GEODE-3217"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/403xxbfrh4csyj1st7351g2dkm0hb91v"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-200"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }

advisories/unreviewed/2022/05/GHSA-6m68-3w55-6mx4/GHSA-6m68-3w55-6mx4.json → advisories/github-reviewed/2022/05/GHSA-6m68-3w55-6mx4/GHSA-6m68-3w55-6mx4.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-6m68-3w55-6mx4",
-  "modified": "2022-05-14T00:57:16Z",
+  "modified": "2022-11-08T14:19:47Z",
   "published": "2022-05-14T00:57:16Z",
   "aliases": [
     "CVE-2017-9795"
   ],
+  "summary": "Apache Geode OQL method invocation vulnerability",
   "details": "When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote code execution.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.3.0"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -23,26 +42,26 @@
     },
     {
       "type": "WEB",
-      "url": "https://lists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7@%3Cuser.geode.apache.org%3E"
+      "url": "https://issues.apache.org/jira/browse/GEODE-3247"
     },
     {
       "type": "WEB",
-      "url": "https://lists.apache.org/thread.html/232d75150991820d2fe6ba6bd4265fb58b4fe4d9d8d62eb2fd97256c@%3Cdev.geode.apache.org%3E"
+      "url": "https://lists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7@%3Cuser.geode.apache.org%3E"
     },
     {
       "type": "WEB",
-      "url": "https://lists.apache.org/thread.html/3a48163ca1fff757aefa4d9df24a251bb11ddd599a78cd85585abd00@%3Cdev.geode.apache.org%3E"
+      "url": "https://lists.apache.org/thread.html/232d75150991820d2fe6ba6bd4265fb58b4fe4d9d8d62eb2fd97256c@%3Cdev.geode.apache.org%3E"
     },
     {
       "type": "WEB",
-      "url": "http://www.securityfocus.com/bid/102488"
+      "url": "https://lists.apache.org/thread.html/3a48163ca1fff757aefa4d9df24a251bb11ddd599a78cd85585abd00@%3Cdev.geode.apache.org%3E"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-200"
     ],
     "severity": "HIGH",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }

advisories/unreviewed/2022/05/GHSA-95m2-p98f-24r5/GHSA-95m2-p98f-24r5.json → advisories/github-reviewed/2022/05/GHSA-95m2-p98f-24r5/GHSA-95m2-p98f-24r5.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-95m2-p98f-24r5",
-  "modified": "2022-05-14T03:35:52Z",
+  "modified": "2022-11-08T14:32:31Z",
   "published": "2022-05-14T03:35:52Z",
   "aliases": [
     "CVE-2017-15693"
   ],
+  "summary": "Apache Geode unsafe deserialization of application objects",
   "details": "In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.",
   "severity": [
     {
@@ -14,7 +15,25 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.4.0"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
@@ -23,18 +42,22 @@
     },
     {
       "type": "WEB",
-      "url": "https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E"
+      "url": "https://github.com/apache/geode/pull/1166"
     },
     {
       "type": "WEB",
-      "url": "http://www.securityfocus.com/bid/103206"
+      "url": "https://issues.apache.org/jira/browse/GEODE-3923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-502"
     ],
     "severity": "HIGH",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }

advisories/unreviewed/2022/05/GHSA-g569-49wg-jx5f/GHSA-g569-49wg-jx5f.json → advisories/github-reviewed/2022/05/GHSA-g569-49wg-jx5f/GHSA-g569-49wg-jx5f.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-g569-49wg-jx5f",
-  "modified": "2022-05-14T03:37:08Z",
+  "modified": "2022-11-08T14:18:19Z",
   "published": "2022-05-14T03:37:08Z",
   "aliases": [
     "CVE-2017-15696"
   ],
+  "summary": "Apache Geode configuration request authorization vulnerability",
   "details": "When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.",
   "severity": [
     {
@@ -14,13 +15,43 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.4.0"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15696"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/geode/pull/1059"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/geode"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.apache.org/jira/browse/GEODE-3962"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f@%3Cdev.geode.apache.org%3E"
@@ -31,6 +62,6 @@
       "CWE-200"
     ],
     "severity": "HIGH",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }

advisories/unreviewed/2022/05/GHSA-h22r-h77w-2g5f/GHSA-h22r-h77w-2g5f.json → advisories/github-reviewed/2022/05/GHSA-h22r-h77w-2g5f/GHSA-h22r-h77w-2g5f.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.3.0",
   "id": "GHSA-h22r-h77w-2g5f",
-  "modified": "2022-05-14T03:47:21Z",
+  "modified": "2022-11-08T14:16:46Z",
   "published": "2022-05-14T03:47:21Z",
   "aliases": [
     "CVE-2017-12622"
   ],
+  "summary": "Apache Geode gfsh authorization vulnerability",
   "details": "When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.",
   "severity": [
     {
@@ -14,13 +15,35 @@
     }
   ],
   "affected": [
-
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.geode:geode-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0"
+            },
+            {
+              "fixed": "1.3.0"
+            }
+          ]
+        }
+      ]
+    }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12622"
     },
+    {
+      "type": "WEB",
+      "url": "https://issues.apache.org/jira/browse/GEODE-3685"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread.html/560578479dabbdc93d0ee8746b7c857549202ef82f43aa22496aa589@%3Cuser.geode.apache.org%3E"
@@ -31,6 +54,6 @@
       "CWE-200"
     ],
     "severity": "HIGH",
-    "github_reviewed": false
+    "github_reviewed": true
   }
 }