{"id":"CVE-2017-5649","details":"Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.","aliases":["GHSA-2gw6-73wc-x88f"],"modified":"2026-04-11T15:22:44.102350Z","published":"2017-04-04T18:59:00.233Z","references":[{"type":"WEB","url":"http://mail-archives.apache.org/mod_mbox/geode-user/201704.mbox/%3cCAEwge-E4y=EVfhwpfRwsbnBH_hBS3Q-BJS+1BX5omYGW4dnR1w%40mail.gmail.com%3e"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/97378"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/geode","events":[{"introduced":"0"},{"last_affected":"2286fd064a52173eab8fdcfadfb89a01e81ef728"}],"database_specific":{"cpe":"cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"1.1.0"}],"source":"CPE_FIELD"}}],"versions":["rel/v1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-5649.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}