CVE-2024-52577

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

9.5CRITICAL

EPSS

2.6%

top 14.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Ignite Apache Ignite

Timeline

PublishedFeb 14

Latest updateOct 15

Description

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

▶NVDapache/ignite2.6.0 — 2.17.0

▶Mavenorg.apache.ignite:ignite-core2.6.0 — 2.17.0

▶CVEListV5apache_software_foundation/apache_ignite2.6.0 — 2.17.0

🔴Vulnerability Details

OSV

Apache Ignite: Possible RCE when deserializing incoming messages by the server node↗2025-02-14

▶

CVEList

Apache Ignite: Possible RCE when deserializing incoming messages by the server node↗2025-02-14

▶

GHSA

Apache Ignite: Possible RCE when deserializing incoming messages by the server node↗2025-02-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: General (Apache Ignite) — CVE-2024-52577↗2025-10-15

▶

Red Hat

org.apache.ignite:ignite-core: Apache Ignite: Possible RCE when deserializing incoming messages by the server node↗2025-02-14

▶