Description

Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information.

Remediation

References

http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2017-7686-Apache-Ignite-Information-Disclosure-td19168.html

http://www.securityfocus.com/bid/99292

Related Vulnerabilities

CVE-2018-3733 Vulnerability in npm package crud-file-server

CVE-2018-1313 Vulnerability in maven package org.apache.derby:derby

CVE-2016-10560 Vulnerability in npm package galenframework-cli

CVE-2017-5641 Vulnerability in maven package org.apache.flex.blazeds:flex-messaging-core

CVE-2021-31405 Vulnerability in maven package com.vaadin:vaadin-text-field-flow

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mitigation Third Party Advisory VDB Entry