CVE-2017-9794 - Vulnerability Details - OpenCVE

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00459.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Geode

Configuration 1 [-]

cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-2127	When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.
Github GHSA	GHSA-37m3-qp37-x3c6	Apache Geode gfsh query vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-09-29T21:00:00Z

Updated: 2024-09-17T03:02:45.659Z

Reserved: 2017-06-21T00:00:00

Link: CVE-2017-9794

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-09-30T01:29:03.053

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-9794

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Geode", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.1.0"}, {"status": "affected", "version": "1.1.1"}, {"status": "affected", "version": "1.2.0"}]}], "datePublic": "2017-09-29T00:00:00", "descriptions": [{"lang": "en", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}], "problemTypes": [{"descriptions": [{"description": "Concurrent Execution using Shared Resource with Improper Synchronization error", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-29T20:57:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-09-29T00:00:00", "ID": "CVE-2017-9794", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Geode", "version": {"version_data": [{"version_value": "1.0.0"}, {"version_value": "1.1.0"}, {"version_value": "1.1.1"}, {"version_value": "1.2.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Concurrent Execution using Shared Resource with Improper Synchronization error"}]}]}, "references": {"reference_data": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw@mail.gmail.com%3e"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:18:02.182Z"}, "title": "CVE Program Container", "references": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-9794", "datePublished": "2017-09-29T21:00:00Z", "dateReserved": "2017-06-21T00:00:00", "dateUpdated": "2024-09-17T03:02:45.659Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*", "matchCriteriaId": "E929494D-00C5-4C57-9426-34A1830A199C", "versionEndIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}, {"lang": "es", "value": "Cuando se opera un cl\u00faster en modo seguro, un usuario con privilegios de lectura para determinadas regiones de datos podr\u00eda utilizar la herramienta de l\u00ednea de comandos gfsh para ejecutar consultas. En las versiones anteriores a la 1.2.1 de Apache Geode, los resultados de las consultas pueden contener datos de otra consulta gfsh del usuario que se est\u00e9 ejecutando de manera concurrente, pudiendo revelar datos que el usuario no est\u00e1 autorizado para visualizar."}], "id": "CVE-2017-9794", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-30T01:29:03.053", "references": [{"source": "security@apache.org", "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}