Description
When an Apache Geode cluster before v1.2.1 is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In addition, an attacker could perform a denial of service attack on the cluster.
References (1)
Core 1
Core References
Various Sources mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-Hrbb7JS8Nygrh7geyFvW4bMZ3AdCmPOzMfvbniipz0bA%40mail.gmail.com%3e
Scores
CVSS v3
6.5
EPSS
0.0016
EPSS Percentile
36.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
Details
CWE
CWE-200
Status
published
Products (6)
apache/geode
< 1.2.0
Apache Software Foundation/Apache Geode
1.0.0
Apache Software Foundation/Apache Geode
1.1.0
Apache Software Foundation/Apache Geode
1.1.1
Apache Software Foundation/Apache Geode
1.2.0
org.apache.geode/geode-core
1.0.0 - 1.2.1Maven
Published
Oct 03, 2017
Tracked Since
Feb 18, 2026