[
https://issues.apache.org/jira/browse/GEODE-10590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10590:
---------------------------------
Description: Affected versions of this package are vulnerable to Allocation
of Resources Without Limits or Throttling due to the lack of enforced limits in
the `HPackDecoder` process. An attacker can exhaust system memory by sending
oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement
applies the configured header list size limit. (was: Remediation of
CVE-2026-34480
Affected versions of this package are vulnerable to Improper Encoding or
Escaping of Output in the XmlLayout plugin. An attacker can cause log events to
be silently lost or malformed by injecting XML 1.0 forbidden characters into
log messages or MDC values. This may result in malformed XML output, which can
cause downstream log-processing systems to drop affected records or prevent log
events from being delivered to their intended destinations.)
Summary: Remediation of CVE-2026-54428 (was: Remediation of
CVE-2026-34480)
> Remediation of CVE-2026-54428
> -----------------------------
>
> Key: GEODE-10590
> URL: https://issues.apache.org/jira/browse/GEODE-10590
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> Affected versions of this package are vulnerable to Allocation of Resources
> Without Limits or Throttling due to the lack of enforced limits in the
> `HPackDecoder` process. An attacker can exhaust system memory by sending
> oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement
> applies the configured header list size limit.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)