PT-2018-5973 · Apache · Apache Geode

Published

2018-06-13

Updated

2022-05-13

CVE-2017-15695

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Apache Geode versions 1.0.0 through 1.4.0

Description: The issue allows a user with DATA:WRITE privileges to deploy code by invoking an internal Geode function when the Apache Geode server is configured with a security manager. This results in remote code execution. Normally, code deployment should be restricted to users with DATA:MANAGE privilege.

Recommendations: For Apache Geode versions 1.0.0 through 1.4.0, restrict code deployment to users with DATA:MANAGE privilege to prevent unauthorized remote code execution.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2017-15695

GHSA-JMG4-X4VP-6C6X

Affected Products

Apache Geode

PT-2018-5973 · Apache · Apache Geode

CVE-2017-15695

Weakness Enumeration

Related Identifiers

Affected Products

References · 17