Description

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Remediation

References

https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Related Vulnerabilities

CVE-2016-3727 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-8443 Vulnerability in npm package kibana

CVE-2023-25500 Vulnerability in maven package com.vaadin:vaadin

CVE-2019-1003021 Vulnerability in maven package org.jenkins-ci.plugins:oic-auth

CVE-2019-10407 Vulnerability in maven package hudson.plugins:project-inheritance

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N