CVE-2018-1295

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

9.8CRITICAL

EPSS

5.6%

top 9.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ignite Apache Software Foundation Apache Ignite

Timeline

PublishedApr 2

Latest updateOct 16

Description

In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.ignite:ignite-core< 2.4

▶NVDapache/ignite2.3.0

▶CVEListV5apache_software_foundation/apache_ignite2.3 and earlier

🔴Vulnerability Details

GHSA

Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization↗2018-10-16

▶

OSV

Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization↗2018-10-16

▶

CVEList

CVE-2018-1295: In Apache Ignite 2↗2018-04-02

▶

📋Vendor Advisories

Red Hat

ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints↗2018-04-02

▶

💬Community

Bugzilla

CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints↗2018-04-03

▶