CVE-2022-34870 Apache Geode 1.15.0 to 1.15.44 are vulnerable to XSS when using Pulse to view Region entries.

When an end-user visits an affected Apache Geode instance, they are redirected to the login page of their choosing.

This redirection happens when a user clicks on a Region entry in the Pulse interface.

When the user is redirected to their chosen web site, the data being sent in the URL bar of the browser is executed by the server.

An attacker who knows the redirect URL of an Apache Geode end-user and has access to the application layer of the server can inject malicious Cross-Site Scripting (XSS) via data injection. This can lead to information disclosure (including session hijacking), unauthorized access to the system, or anything else that can be performed with the power of a malicious injected script.

Apache Geode versions 1.15.0 to 1.18.0 are vulnerable to an XSS via data injection in the Apache Geode Administration interface. The Cross-Site Scripting (XSS) via data injection exists in the Apache Geode Administration interface.

Vulnerability: Cross-Site Scripting (XSS) via data injection

To exploit this issue, an attacker must be able to inject a malicious script into the Apache Geode Administration interface.

The malicious script that is injected will execute on any end-user who visits the web site of their choosing by sending data in the URL bar of their browser. This can lead to information disclosure (including session hijacking), unauthorized access to the system, or anything else that can be performed with the power of a malicious injected script.

Affected Apache Geode version

Versions 1.15.0 to 1.18.0 are affected by this XSS vulnerability that exists in the Apache Geode Administration interface.

Vulnerable code example

Visit the CVE link for details .

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34870

Vulnerable Line:

When the user is redirected to their chosen web site, the data being sent in the URL bar of the browser is executed by the server.

An attacker who knows the redirect URL of an Apache Geode end-user and has access to the application layer of the server can inject malicious Cross-Site Scripting (XSS) via data injection. This can lead to information disclosure (including session hijacking), unauthorized access to the system, or anything else that can be performed with the power of a malicious injected script.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:31:00 UTC

References

• https://lists.apache.org/thread/zltlr7f2ymr2m6jj54k4z0c4foos5fwx
• http://www.openwall.com/lists/oss-security/2022/10/24/3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34870