[ 
https://issues.apache.org/jira/browse/GEODE-10590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10590:
---------------------------------
    Description: 
Remediation of CVE-2026-34480
Affected versions of this package are vulnerable to Improper Encoding or 
Escaping of Output in the XmlLayout plugin. An attacker can cause log events to 
be silently lost or malformed by injecting XML 1.0 forbidden characters into 
log messages or MDC values. This may result in malformed XML output, which can 
cause downstream log-processing systems to drop affected records or prevent log 
events from being delivered to their intended destinations.

  was:
Remediation of CVE-2026-0636
LDAP Injection via the `parseDN` handling and the LDAP store helpers in 
`X509LDAPCertStoreSpi` and `LDAPStoreHelper`. An attacker can influence LDAP 
search filters by supplying a crafted X.500 subject or issuer string that is 
parsed into an unescaped filter value. This lets the attacker alter the 
directory query used to locate certificates and CRLs, causing the application 
to retrieve incorrect LDAP entries or fail to find the intended ones, which can 
break certificate validation and revocation checks


> Remediation of CVE-2026-34480
> -----------------------------
>
>                 Key: GEODE-10590
>                 URL: https://issues.apache.org/jira/browse/GEODE-10590
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>
> Remediation of CVE-2026-34480
> Affected versions of this package are vulnerable to Improper Encoding or 
> Escaping of Output in the XmlLayout plugin. An attacker can cause log events 
> to be silently lost or malformed by injecting XML 1.0 forbidden characters 
> into log messages or MDC values. This may result in malformed XML output, 
> which can cause downstream log-processing systems to drop affected records or 
> prevent log events from being delivered to their intended destinations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to