CVE-2017-15696
Description
When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode before v1.4.0 in secure mode fails to authorize configuration requests, allowing unprivileged users with locator access to extract config and code.
Vulnerability
Apache Geode clusters running in secure mode before version 1.4.0 are vulnerable because the configuration service does not properly authorize configuration requests [2]. An unprivileged user who gains access to a Geode locator can exploit this to retrieve sensitive data.
Exploitation
An attacker must have network access to the Geode locator. No authentication is required beyond access to the locator port. The attacker sends unauthenticated configuration requests to the locator, which does not verify authorization in secure mode.
Impact
Successful exploitation allows an attacker to extract cluster configuration data and previously deployed application code, leading to information disclosure of potentially sensitive configurations and code.
Mitigation
The vulnerability is fixed in Apache Geode version 1.4.0 [3]. Users should upgrade to 1.4.0 or later. No workarounds are documented; running in non-secure mode may avoid the issue but is not recommended for security.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.4.0 | 1.4.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode 1.0.0 to 1.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-g569-49wg-jx5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15696ghsaADVISORY
- github.com/apache/geode/pull/1059ghsaWEB
- issues.apache.org/jira/browse/GEODE-3962ghsaWEB
- lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f%40%3Cdev.geode.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/28989e6ed0d3c29e46a489ae508302a50407a40691d5dc968f78cd3f@%3Cdev.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.