Vulnerability DatabaseCVE-2017-15695
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2017-15695
June 13, 2018
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
Affected Packages
org.apache.geode:geode-core (JAVA):
Affected version(s) >=1.0.0-incubating <1.5.0
Fix Suggestion:
Update to version 1.5.0
Related ResourcesĀ (15)
https://github.com/apache/geode/pull/1258
https://github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305
https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E
https://github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dab
https://github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913
https://github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7d
https://github.com/apache/geode
https://nvd.nist.gov/vuln/detail/CVE-2017-15695
http://www.securityfocus.com/bid/104465
https://github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0
https://issues.apache.org/jira/browse/GEODE-3974
https://github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480
https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99%40%3Cuser.geode.apache.org%3E
https://github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11d
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
6.5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
2.24