Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.
{
"severity": "CRITICAL",
"github_reviewed": true,
"nvd_published_at": null,
"cwe_ids": [
"CWE-502"
],
"github_reviewed_at": "2020-06-16T21:51:39Z"
}