Vulnerabilities > CVE-2017-15695 - Incorrect Authorization vulnerability in Apache Geode

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

CWE-863

NVD

Published: 2018-06-13

Updated: 2023-11-07

Summary

When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Geode 1.0.0 Apache Geode 1.1.0 Apache Geode 1.1.1 Apache Geode 1.2.0 Apache Geode 1.2.1 Apache Geode 1.3.0 Apache Geode 1.4.0	7

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

http://www.securityfocus.com/bid/104465
https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99%40%3Cuser.geode.apache.org%3E