Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nNTY5LTQ5d2ctang1Zs4AAXOK

Apache Geode configuration request authorization vulnerability

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Permalink: https://github.com/advisories/GHSA-g569-49wg-jx5f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTY5LTQ5d2ctang1Zs4AAXOK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-g569-49wg-jx5f, CVE-2017-15696
References: Repository: https://github.com/apache/geode
Blast Radius: 19.2

Affected Packages

maven:org.apache.geode:geode-core
Dependent packages: 51
Dependent repositories: 368
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0
All unaffected versions: 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1