CVE-2017-12622: gfsh authorization vulnerability

January 9, 2018 (updated February 1, 2018)

When an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.

References

github.com/apache/geode/commit/db4a493efc09600bf0a9778d5274c09b23b16644
issues.apache.org/jira/browse/GEODE-3685
lists.apache.org/thread.html/560578479dabbdc93d0ee8746b7c857549202ef82f43aa22496aa589@%3Cuser.geode.apache.org%3E

Code Behaviors & Features

Detect and mitigate CVE-2017-12622 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →