CVE-2017-15696

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Published: Feb 26, 2018
Updated: Nov 8, 2023
CVE: CVE-2017-15696
GHSA: GHSA-g569-49wg-jx5f
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
apache / geode	1.0.0	1.3.0.x
org.apache.geode / geode-core	1.0.0	1.4.0

https://github.com/apache/geode/pull/1059
https://issues.apache.org/jira/browse/GEODE-3962
https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f@%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Vulnerability Database

289,599

CVE-2017-15696