[ 
https://issues.apache.org/jira/browse/GEODE-10590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10590:
---------------------------------
    Description: Affected versions of this package are vulnerable to Allocation 
of Resources Without Limits or Throttling due to the lack of enforced limits in 
the `HPackDecoder` process. An attacker can exhaust system memory by sending 
oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement 
applies the configured header list size limit.  (was: Remediation of 
CVE-2026-34480
Affected versions of this package are vulnerable to Improper Encoding or 
Escaping of Output in the XmlLayout plugin. An attacker can cause log events to 
be silently lost or malformed by injecting XML 1.0 forbidden characters into 
log messages or MDC values. This may result in malformed XML output, which can 
cause downstream log-processing systems to drop affected records or prevent log 
events from being delivered to their intended destinations.)
        Summary: Remediation of CVE-2026-54428  (was: Remediation of 
CVE-2026-34480)

> Remediation of CVE-2026-54428
> -----------------------------
>
>                 Key: GEODE-10590
>                 URL: https://issues.apache.org/jira/browse/GEODE-10590
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>
> Affected versions of this package are vulnerable to Allocation of Resources 
> Without Limits or Throttling due to the lack of enforced limits in the 
> `HPackDecoder` process. An attacker can exhaust system memory by sending 
> oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement 
> applies the configured header list size limit.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to