CVE-2017-9796
Description
When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Geode before 1.3.0, users with read access to specific regions can use OQL bind parameters to access unauthorized regions.
Vulnerability
Apache Geode clusters running in secure mode before version 1.3.0 are vulnerable to an OQL injection-like flaw. A user with read access to certain regions can craft OQL queries that use a region name as a bind parameter, bypassing authorization checks and allowing read access to objects in unauthorized regions [1].
Exploitation
The attacker must have authenticated access to a Geode cluster operating in secure mode and possess read permissions on at least one region. By executing OQL queries that include a region name as a bind parameter, the attacker can enumerate and read data from regions they are not authorized to access [2].
Impact
Successful exploitation allows an authenticated attacker to read data from unauthorized regions, violating data confidentiality. The attacker does not gain write access or elevated privileges beyond the scope of read operations on regions they were not intended to access.
Mitigation
The vulnerability is fixed in Apache Geode version 1.3.0 [2]. Users should upgrade to 1.3.0 or later. No workarounds are documented in the references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.3.0 | 1.3.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-q7cp-r6cj-hpf5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9796ghsaADVISORY
- issues.apache.org/jira/browse/GEODE-3248ghsaWEB
- lists.apache.org/thread.html/e580d22195b6b61ff9cf866ac6dd6fe16e790ff0e14a3b1a22cd20b1%40%3Cuser.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/e580d22195b6b61ff9cf866ac6dd6fe16e790ff0e14a3b1a22cd20b1@%3Cuser.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.