2345704 – (CVE-2024-52577) CVE-2024-52577 org.apache.ignite:ignite-core: Apache Ignite: Possible RCE when deserializing incoming messages by the server node

Bug 2345704 (CVE-2024-52577) - CVE-2024-52577 org.apache.ignite:ignite-core: Apache Ignite: Possible RCE when deserializing incoming messages by the server node

Summary: CVE-2024-52577 org.apache.ignite:ignite-core: Apache Ignite: Possible RCE whe...

Keywords:
Status:	NEW
Alias:	CVE-2024-52577
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-14 10:01 UTC by OSIDB Bzimport
Modified:	2025-02-17 14:04 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-14 10:01:27 UTC

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

Note You need to log in before you can comment on or make changes to this bug.