In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.
Published 2018-04-02 17:29:00
Updated 2019-03-05 18:38:14
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2018-1295

1.91%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1295

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
9.8
CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2018-1295

References for CVE-2018-1295

Products affected by CVE-2018-1295

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!