Description
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.
References (1)
Core 1
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/e580d22195b6b61ff9cf866ac6dd6fe16e790ff0e14a3b1a22cd20b1%40%3Cuser.geode.apache.org%3E
Scores
CVSS v3
5.3
EPSS
0.0011
EPSS Percentile
29.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
apache/geode
< 1.3.0
org.apache.geode/geode-core
1.0.0 - 1.3.0Maven
Published
Jan 10, 2018
Tracked Since
Feb 18, 2026