www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Baker <aba...@apache.org>
Subject [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability
Date Fri, 29 Sep 2017 17:33:38 GMT
CVE-2017-9794 Apache Geode gfsh query vulnerability

Severity: Low
CVSS Base Score 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vendor: The Apache Software Foundation

Versions Affected:
Apache Geode 1.0.0 through 1.2.0

Description:
When a cluster is operating in secure mode, a user with read
privileges for specific data  regions can use the gfsh command line
utility to execute queries.  The query results may contain data from
another user’s concurrently executing gfsh query, potentially
revealing data that the user is not authorized to view.

Mitigation:
Users of the affected versions should upgrade to Apache Geode 1.2.1 or later.

Credit:
This issue was reported responsibly to the Apache Geode PMC by Jared
Stewart from Pivotal.

References:
[1] https://issues.apache.org/jira/browse/GEODE-3217
[2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities

---
The Geode PMC

Mime
View raw message