CVE-2017-5649
First published: Tue Apr 04 2017(Updated: )
Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Geode | <=1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-5649?
The severity of CVE-2017-5649 is rated high with a score of 7.5.
How do I fix CVE-2017-5649?
To mitigate CVE-2017-5649, upgrade to Apache Geode version 1.1.1 or later.
Who is affected by CVE-2017-5649?
CVE-2017-5649 affects users of Apache Geode versions prior to 1.1.1 with enabled security.
What type of attack does CVE-2017-5649 facilitate?
CVE-2017-5649 can allow remote authenticated users to access restricted data through an OQL query.
What is the vulnerability type for CVE-2017-5649?
CVE-2017-5649 falls under CWE-200, which pertains to information exposure.
- collector/nvd-index
- vendor/apache
- product/geode
- canonical/apache geode