CVE-2017-7686

EUVD-2017-0146
Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
apacheignite
1.0.0
apacheignite
1.0.0:rc3
apacheignite
1.1.0
apacheignite
1.2.0
apacheignite
1.3.0
apacheignite
1.4.0
apacheignite
1.5.0:b1
apacheignite
1.5.0:final
apacheignite
1.6.0
apacheignite
1.7.0
apacheignite
1.8.0
apacheignite
1.9.0
apacheignite
2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2017-7686-Apache-Ignite-Information-Disclosure-td19168.html
http://www.securityfocus.com/bid/99292
http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2017-7686-Apache-Ignite-Information-Disclosure-td19168.html
http://www.securityfocus.com/bid/99292