[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability
From:       Anthony Baker <abaker () apache ! org>
Date:       2017-09-29 17:33:38
Message-ID: CAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw () mail ! gmail ! com
[Download RAW message or body]

CVE-2017-9794 Apache Geode gfsh query vulnerability

Severity: Low
CVSS Base Score 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vendor: The Apache Software Foundation

Versions Affected:
Apache Geode 1.0.0 through 1.2.0

Description:
When a cluster is operating in secure mode, a user with read
privileges for specific data  regions can use the gfsh command line
utility to execute queries.  The query results may contain data from
another user's concurrently executing gfsh query, potentially
revealing data that the user is not authorized to view.

Mitigation:
Users of the affected versions should upgrade to Apache Geode 1.2.1 or later.

Credit:
This issue was reported responsibly to the Apache Geode PMC by Jared
Stewart from Pivotal.

References:
[1] https://issues.apache.org/jira/browse/GEODE-3217
[2] https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities

---
The Geode PMC
[prev in list] [next in list] [prev in thread] [next in thread]