CVE-2017-15696

HIGH

Apache Geode 1.0.0-1.3.0 & geode-core 1.0.0-1.4.0 - Sensitive Info Exposure via Config Service

Title source: llm

Description

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

References (1)

Core 1

Core References

Mailing List x_refsource_misc

https://lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 44.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

apache/geode 1.0.0 - 1.3.0

org.apache.geode/geode-core 1.0.0 - 1.4.0Maven

Published Feb 26, 2018

Tracked Since Feb 18, 2026