CVE-2019-11286
9
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
Summary
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VMware Tanzu | VMware GemFire | 9.7 < 9.7.5 | affected |
| VMware Tanzu | VMware GemFire | 9.8 < 9.8.5 | affected |
| VMware Tanzu | VMware GemFire | 9.9 < 9.9.1 | affected |
| VMware Tanzu | VMware GemFire | 9.10 < 9.10.0 | affected |
| VMware Tanzu | VMware Tanzu GemFire for VMs | 1.9 < 1.9.2 | affected |
| VMware Tanzu | VMware Tanzu GemFire for VMs | 1.10 < 1.10.1 | affected |
| VMware Tanzu | VMware Tanzu GemFire for VMs | 1.8 < 1.8.2 | affected |
| VMware Tanzu | VMware Tanzu GemFire for VMs | 1.11 < 1.11.0 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.