Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNTY5LTQ5d2ctang1Zs4AAXOK
Apache Geode configuration request authorization vulnerability
When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.
Permalink: https://github.com/advisories/GHSA-g569-49wg-jx5fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTY5LTQ5d2ctang1Zs4AAXOK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-g569-49wg-jx5f, CVE-2017-15696
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15696
- https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f@%3Cdev.geode.apache.org%3E
- https://github.com/apache/geode/pull/1059
- https://issues.apache.org/jira/browse/GEODE-3962
- https://github.com/advisories/GHSA-g569-49wg-jx5f
Blast Radius: 19.2
Affected Packages
maven:org.apache.geode:geode-core
Dependent packages: 51Dependent repositories: 368
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0
All unaffected versions: 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.15.0, 1.15.1