Description

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Remediation

References

https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Related Vulnerabilities

CVE-2017-16047 Vulnerability in npm package mysqljs

CVE-2017-7683 Vulnerability in maven package org.apache.openmeetings:openmeetings-server

CVE-2017-16064 Vulnerability in npm package node-openssl

CVE-2017-16204 Vulnerability in npm package jquey

CVE-2018-1306 Vulnerability in maven package org.apache.portals.pluto:portletv3annotateddemo

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N