Date: Tue, 4 Apr 2017 07:31:52 -0700 From: Anthony Baker <abaker@...che.org> To: user@...de.apache.org, dev@...de.apache.org, announce@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: [CVE-2017-5649] Apache Geode information disclosure vulnerability CVE-2017-5649: Apache Geode information disclosure vulnerability Severity: Medium Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L) Vendor: The Apache Software Foundation Versions Affected: Geode 1.1.0 Description: When a cluster has enabled security by setting the security-manager property, a user should have DATA:READ permission to view data stored in the cluster. However, if an authenticated user has CLUSTER:READ but not DATA:READ permission they can access the data browser page in Pulse. From there the user could execute an OQL query that exposes data stored in the cluster. Mitigation: 1.1.0 users should upgrade to 1.1.1 Credit: This issue was discovered by Jinmei Liao. References: https://www.apache.org/security/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ