CVE-2017-12622
Description
When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode in secure mode before 1.3.0 allows authenticated users without CLUSTER:MANAGE privileges to obtain status and control cluster members via the gfsh HTTP interface.
Vulnerability
When an Apache Geode cluster is running in secure mode (versions before 1.3.0), an authenticated user who connects to the cluster using the gfsh tool over HTTP can bypass authorization checks. The vulnerability, tracked as GEODE-3685 [2], results in MBean wrappers not being applied correctly, allowing the user to perform operations that should require the CLUSTER:MANAGE privilege [1]. Specifically, the user can obtain cluster-wide status information and control cluster members without having the proper authorization [1].
Exploitation
An attacker must have a valid authenticated session to the Apache Geode cluster via the HTTP interface used by gfsh. No additional network position beyond connectivity to the cluster is required, as the attack leverages the normal authenticated gfsh session [1]. The flaw lies in the failure to correctly enforce authorization on MBean operations; the attacker simply uses the standard gfsh commands that query status or issue control directives, and the cluster incorrectly permits these actions [2].
Impact
Successful exploitation allows an authenticated attacker to read sensitive cluster status information (information disclosure) and perform control operations on cluster members (loss of integrity/availability). The attacker gains unauthorized administrative-level capabilities, such as changing configurations or influencing cluster behavior, even though they lack the CLUSTER:MANAGE privilege [1].
Mitigation
The fix is included in Apache Geode version 1.3.0 and later [1]. Users operating an earlier version in secure mode should upgrade to at least 1.3.0 to remediate the issue. No workarounds are disclosed in available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.3.0 | 1.3.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-h22r-h77w-2g5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12622ghsaADVISORY
- issues.apache.org/jira/browse/GEODE-3685ghsaWEB
- lists.apache.org/thread.html/560578479dabbdc93d0ee8746b7c857549202ef82f43aa22496aa589%40%3Cuser.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/560578479dabbdc93d0ee8746b7c857549202ef82f43aa22496aa589@%3Cuser.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.