CVE-2018-8018

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

9.8CRITICAL

EPSS

4.4%

top 10.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ignite Apache Software Foundation Apache Ignite

Timeline

PublishedJul 20

Latest updateOct 16

Description

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/ignite< 2.4.8+1

▶Mavenorg.apache.ignite:ignite-core< 2.6

▶CVEListV5apache_software_foundation/apache_ignite2.4.x before 2.4.8, 2.5.x before 2.5.3+1

🔴Vulnerability Details

GHSA

Code execution via deserialization in org.apache.ignite:ignite-core↗2018-10-16

▶

OSV

Code execution via deserialization in org.apache.ignite:ignite-core↗2018-10-16

▶

CVEList

CVE-2018-8018: In Apache Ignite before 2↗2018-07-19

▶

📋Vendor Advisories

Red Hat

ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint↗2018-07-19

▶

💬Community

Bugzilla

CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint↗2018-07-24

▶