CVE-2017-5649

Summary

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Geode1.1.0affected

Weaknesses

  • improper access control

ADP Enrichment

CVE Program Container

Additional References

References