Description

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Remediation

References

https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Related Vulnerabilities

CVE-2018-1000169 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2016-3724 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-32624 Vulnerability in npm package keystone

CVE-2014-3680 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-9796 Vulnerability in maven package org.apache.geode:geode-core

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N