CyberSec.Space Logo
Back to CVE Browser

CVE-2017-5649

HIGH
7.5
CVSS Severity Score
EPSS Score0.1380%
EPSS Percentile42.42th
PublishedApr 4, 2017
Last ModifiedMay 13, 2026

Vulnerability Description

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

Affected Platforms (CPE)

πŸ“¦
Apache

Geode

<= 1.1.0

References & Advisories

πŸ”— http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w%40mail.gmail.com%3e
πŸ”— http://www.securityfocus.com/bid/97378
πŸ”— http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w%40mail.gmail.com%3e
πŸ”— http://www.securityfocus.com/bid/97378

Related Vulnerabilities

CVE-2017-156929.8

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivile...

CVE-2016-98859.8

An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geod...

CVE-2017-156958.8

When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is al...

CVE-2017-97957.5

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode...