CVE-2017-5649

CWE-200 — Information Exposure4 documents4 sources

Severity

7.5HIGH

EPSS

0.1%

top 77.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Geode Apache Software Foundation Apache Geode

Timeline

PublishedApr 4

Latest updateMay 17

Description

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.geode:geode-core1.1.0 — 1.1.1

▶NVDapache/geode1.1.0

▶CVEListV5apache_software_foundation/apache_geode1.1.0

🔴Vulnerability Details

GHSA

Apache Geode information disclosure vulnerability↗2022-05-17

▶

OSV

Apache Geode information disclosure vulnerability↗2022-05-17

▶

CVEList

CVE-2017-5649: Apache Geode before 1↗2017-04-04

▶