[MAVEN:GHSA-2GW6-73WC-X88F] Apache Geode information disclosure vulnerability

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

Package	Affected Version
pkg:maven/org.apache.geode/geode-core	= 1.1.0

Package	Fixed Version
pkg:maven/org.apache.geode/geode-core	= 1.1.1

ID: MAVEN:GHSA-2GW6-73WC-X88F
Severity: high
URL: https://github.com/advisories/GHSA-2gw6-73wc-x88f
Published: 2022-05-17T02:50:39
(2 years ago)
Modified: 2023-01-29T05:04:01
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2017-5649
			http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w@mail.gmail.com%3e
			https://github.com/advisories/GHSA-2gw6-73wc-x88f

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.geode/geode-core	org.apache.geode	geode-core	= 1.1.0
Fixed	pkg:maven/org.apache.geode/geode-core	org.apache.geode	geode-core	= 1.1.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date