-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.geode:geode-core | maven | >= 1.0.0, < 1.4.0 | 1.4.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from using direct TCPClient communication to fetch cluster configuration without security authorization. The fix in GEODE-3962/PR#1059 replaced TCPClient with a secured FunctionService approach. The original TCP-based method in ClusterConfigurationLoader would have lacked the security context validation required in secure mode, making it the vulnerable entry point. The JIRA ticket and PR changes explicitly show this communication mechanism was the attack vector.