CVE-2017-9794 - OpenCVE

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Geode

Configuration 1 [-]

cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-09-29T21:00:00Z

Updated: 2024-09-17T03:02:45.659Z

Reserved: 2017-06-21T00:00:00

Link: CVE-2017-9794

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-09-30T01:29:03.053

Modified: 2023-11-07T02:50:52.770

Link: CVE-2017-9794

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Geode", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.1.0"}, {"status": "affected", "version": "1.1.1"}, {"status": "affected", "version": "1.2.0"}]}], "datePublic": "2017-09-29T00:00:00", "descriptions": [{"lang": "en", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}], "problemTypes": [{"descriptions": [{"description": "Concurrent Execution using Shared Resource with Improper Synchronization error", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-29T20:57:02", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-09-29T00:00:00", "ID": "CVE-2017-9794", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Geode", "version": {"version_data": [{"version_value": "1.0.0"}, {"version_value": "1.1.0"}, {"version_value": "1.1.1"}, {"version_value": "1.2.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Concurrent Execution using Shared Resource with Improper Synchronization error"}]}]}, "references": {"reference_data": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw@mail.gmail.com%3e"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:18:02.182Z"}, "title": "CVE Program Container", "references": [{"name": "[geode-user] 20170929 [SECURITY] CVE-2017-9794 Apache Geode gfsh query vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-9794", "datePublished": "2017-09-29T21:00:00Z", "dateReserved": "2017-06-21T00:00:00", "dateUpdated": "2024-09-17T03:02:45.659Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*", "matchCriteriaId": "E929494D-00C5-4C57-9426-34A1830A199C", "versionEndIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view."}, {"lang": "es", "value": "Cuando se opera un cl\u00faster en modo seguro, un usuario con privilegios de lectura para determinadas regiones de datos podr\u00eda utilizar la herramienta de l\u00ednea de comandos gfsh para ejecutar consultas. En las versiones anteriores a la 1.2.1 de Apache Geode, los resultados de las consultas pueden contener datos de otra consulta gfsh del usuario que se est\u00e9 ejecutando de manera concurrente, pudiendo revelar datos que el usuario no est\u00e1 autorizado para visualizar."}], "id": "CVE-2017-9794", "lastModified": "2023-11-07T02:50:52.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-30T01:29:03.053", "references": [{"source": "security@apache.org", "url": "http://mail-archives.apache.org/mod_mbox/geode-user/201709.mbox/%3cCAEwge-FqzrT+deCkNkM-EQZuKfg-XuqY4cGjFiqxoKBVduY1Zw%40mail.gmail.com%3e"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}