CVE-2017-5649

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:49

Type Values Removed Values Added
References
  • {'url': 'http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w@mail.gmail.com%3e', 'name': '[geode-user] 20170404 [CVE-2017-5649] Apache Geode information disclosure vulnerability', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w%40mail.gmail.com%3e -

Information

Published : 2017-04-04 18:59

Updated : 2023-12-10 12:01


NVD link : CVE-2017-5649

Mitre link : CVE-2017-5649

CVE.ORG link : CVE-2017-5649


JSON object : View

Products Affected

apache

  • geode
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor