High severity7.5NVD Advisory· Published Apr 4, 2017· Updated May 13, 2026

CVE-2017-5649

Description

Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.geode:geode-coreMaven	>= 1.1.0, < 1.1.1	1.1.1

Affected products

Apache/Geode
cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*
Range: <=1.1.0
Apache Software Foundation/Apache Geodev5
Range: 1.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/97378nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-2gw6-73wc-x88fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5649ghsaADVISORY
mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w@mail.gmail.com%3eghsaWEB
mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w%40mail.gmail.com%3envd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000