CVE-2018-8018 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-8018 PUBLISHED

Reported by apache · Published July 19, 2018

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache Ignite	2.5.x before 2.5.3, 2.4.x before 2.4.8
Apache Software Foundation	Apache Ignite	2.5.x before 2.5.3, 2.4.x before 2.4.8, 2.5.x before 2.5.3
Maven	org.apache.ignite:ignite-core	0, 0

Timeline

Jul 19, 2018 CVE Published
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Jan 2, 2023 EPSS Score
Mar 5, 2023 EPSS Score
May 6, 2023 EPSS Score
May 8, 2023 EPSS Score

References

104911 vdb-entryx_refsource_BID
[ignite-dev] 20180719 [CVE-2018-8018] Possible Execution of Arbitrary Code via Apache Ignite GridClientJdkMarshaller mailing-listx_refsource_MLIST
RHSA-2018:3768 vendor-advisoryx_refsource_REDHAT
https://nvd.nist.gov/vuln/detail/CVE-2018-8018 advisory

Open in Interactive Console →