CVE-2017-9795
Description
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Geode prior to 1.3.0, a user with read access to certain regions can use OQL to access unauthorized regions and potentially achieve remote code execution.
Vulnerability
In Apache Geode clusters running in secure mode before version 1.3.0, the Object Query Language (OQL) execution engine does not properly enforce region-level authorization. A user granted read access to specific regions can craft OQL queries that read or write objects in unauthorized regions. Additionally, the flawed OQL processing can allow method invocation that leads to remote code execution [1]. The issue is tracked as GEODE-3247 [2].
Exploitation
An attacker must have valid credentials for an Apache Geode cluster operating in secure mode and must possess at least read access to one or more regions. Using that access, the attacker sends specially crafted OQL queries that bypass region authorization checks. The queries can both access data outside the user’s intended scope and, due to insecure method invocation during query evaluation, execute arbitrary code on the server [1][2].
Impact
A successful exploit permits an authenticated attacker to read and write data in unauthorized regions, violating confidentiality and integrity. More critically, the same attack vector can yield full remote code execution (RCE) on the Geode server, giving the attacker the ability to run arbitrary commands with the privileges of the Geode process [1].
Mitigation
Upgrade to Apache Geode 1.3.0 or later, which includes the fix for OQL authorization enforcement and method invocation restrictions [2]. No workaround is available for earlier versions. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.3.0 | 1.3.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-6m68-3w55-6mx4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9795ghsaADVISORY
- www.securityfocus.com/bid/102488mitrevdb-entryx_refsource_BID
- issues.apache.org/jira/browse/GEODE-3247ghsaWEB
- lists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7%40%3Cuser.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/0fc5ea3c1ea06fe7058a0ab56d593914b05f728a6c93c5a6755956c7@%3Cuser.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/232d75150991820d2fe6ba6bd4265fb58b4fe4d9d8d62eb2fd97256c%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/232d75150991820d2fe6ba6bd4265fb58b4fe4d9d8d62eb2fd97256c@%3Cdev.geode.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3a48163ca1fff757aefa4d9df24a251bb11ddd599a78cd85585abd00%40%3Cdev.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/3a48163ca1fff757aefa4d9df24a251bb11ddd599a78cd85585abd00@%3Cdev.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.