CVE-2017-15695
HIGH8.8EPSS 2.2%Apache Geode vulnerable to Incorrect Authorization
Published: 5/13/2022Modified: 4/12/2024
Description
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
Affected packages (1)
- Maven/org.apache.geode:geode-core>= 1.0.0, < 1.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15695
- PATCHhttps://github.com/apache/geode
- WEBhttps://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
- WEBhttps://github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11d
- WEBhttps://github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7d
- WEBhttps://github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dab
- WEBhttps://github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913
- WEBhttps://github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305
- WEBhttps://github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0
- WEBhttps://github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480
- WEBhttps://github.com/apache/geode/pull/1258
- WEBhttps://issues.apache.org/jira/browse/GEODE-3974
- WEBhttps://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E