CRITICAL🇵🇱 Wersja polska

CVE-2024-52577

CVSS 9.5v4.0pub. 2025-02-14upd. 2025-07-14

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Apache Ignite

    APP
    Apache
    2.6.0 – 2.17.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2018-1273CRITICAL9.8⚠ KEVten sam produkt

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain ...

CVE-2020-1963CRITICAL9.1ten sam produkt

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which coul...

CVE-2018-8018CRITICAL9.8ten sam produkt

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of clas...

CVE-2018-1295CRITICAL9.8ten sam produkt

In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for seria...

CVE-2025-48977HIGH8.5ten sam produkt

Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any fi...