Description

Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information.

Remediation

References

http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2017-7686-Apache-Ignite-Information-Disclosure-td19168.html

http://www.securityfocus.com/bid/99292

Related Vulnerabilities

CVE-2022-39288 Vulnerability in npm package fastify

CVE-2021-25930 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2021-32809 Vulnerability in npm package ckeditor4

CVE-2018-1000125 Vulnerability in maven package com.inversoft:prime-jwt

CVE-2019-10158 Vulnerability in maven package org.infinispan:infinispan-spring5-remote

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mitigation Third Party Advisory VDB Entry