CVE-2017-9795
Apache Geode OQL method invocation vulnerability
7.5
HIGH
CVSS 3.1
EPSS 1.5%
Description
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote code execution.
How to fix CVE-2017-9795
To remediate CVE-2017-9795, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0 or later
Is CVE-2017-9795 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-9795
- WEBissues.apache.org/jira/browse/GEODE-3247
- WEBlists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7@%3Cuser.geode.apache.org%3E
- WEBlists.apache.org/thread.html/232d75150991820d2fe6ba6bd4265fb58b4fe4d9d8d62eb2fd97256c@%3Cdev.geode.apache.org%3E