CVE-2017-5649

Name of the Vulnerable Software and Affected Versions Apache Geode versions prior to 1.1.1

Description The issue allows remote authenticated users with limited permissions to access sensitive data. Specifically, users with CLUSTER:READ but not DATA:READ permission can access the data browser page in Pulse and execute an OQL query, exposing stored data in the cluster.

Recommendations For Apache Geode versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Pulse data browser page for users with only CLUSTER:READ permission until the update is applied.