Description

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Remediation

References

https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Related Vulnerabilities

CVE-2014-0043 Vulnerability in maven package org.apache.wicket:wicket-core

CVE-2012-3353 Vulnerability in maven package org.apache.sling:org.apache.sling.jcr.contentloader

CVE-2007-5333 Vulnerability in maven package tomcat:tomcat-coyote

CVE-2018-1000148 Vulnerability in maven package org.jenkins-ci.plugins:copy-to-slave

CVE-2017-16058 Vulnerability in npm package gruntcli

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N