{"schema_version": "1.6.1", "id": "CVE-2022-37023", "summary": "Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11", "details": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11.\n\nAny user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Geode"}, {"fixed": "1.15.0"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}]}