org.apache.ignite:ignite-core@1.6.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.ignite:ignite-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Memory Leak

org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to Memory Leak via the thin client protocol, which interprets the first 4 bytes as message size and allocates an array for it. Any "big" 4 bytes sent on a thin client port could lead to Out Of Memory.

How to fix Memory Leak?

Upgrade org.apache.ignite:ignite-core to version 2.13.0 or higher.

[,2.13.0)
  • C
Incorrect Authorization

org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to Incorrect Authorization. It uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

How to fix Incorrect Authorization?

Upgrade org.apache.ignite:ignite-core to version 2.8.1 or higher.

[,2.8.1)
  • M
XML External Entity (XXE) Injection

org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. An attacker could read arbitrary files via XXE in modified update-notifier documents.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.ignite:ignite-core to version 1.9.0 or higher.

[1.0.0-RC3,1.9.0)
  • H
Information Exposure

org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to Information Exposure. It uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information.

How to fix Information Exposure?

Upgrade org.apache.ignite:ignite-core to version 2.1.0 or higher.

[1.0.0-RC3,2.1.0)
  • C
Deserialization of Untrusted Data

org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads, delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It's serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if a malicious user sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.ignite:ignite-core to version 2.6 or higher.

[,2.6.0)
  • C
Deserialization of Untrusted Data

org.apache.ignite:ignite-core is a memory-centric multi-model distributed database, caching, and processing platform for transactional, analytical, and streaming workloads, delivering in-memory speeds at petabyte scale.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.ignite:ignite-core to version 2.4 or higher.

[,2.4.0)