Information Disclosure Vulnerability in Apache Geode by The Apache Software Foundation
CVE-2017-5649

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Geode
Vendor: CVE Published:; 4 April 2017

Summary

Apache Geode versions prior to 1.1.1 feature a security misconfiguration that permits remote authenticated users with CLUSTER:READ permission (but lacking DATA:READ permission) to access the data browser page in Pulse. This could enable the users to execute an OQL query, inadvertently disclosing sensitive data stored within the cluster due to the inadequate enforcement of security permissions.

Affected Version(s)

Apache Geode 1.1.0

References

http://www.securityfocus.com/bid/97378

vdb-entryx_refsource_BID

http://mail-archives.apache.org/mod_mbox/geode-user/20170...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2017
Vulnerability Reserved
Jan 29, 2017