CVE-2018-1295: Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.90114%
CWE
Published
10/16/2018
Updated
4/19/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.ignite:ignite-core | maven | < 2.4 | 2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the lack of an allowlist during deserialization in multiple network-facing components. While specific function names and file paths aren't provided in the available data, the CVE description explicitly identifies the affected components (discovery SPI, Memcached, etc.) as deserialization endpoints. These components inherently require deserialization logic to process
incoming data, and the absence of an allowlist in versions <2.4 makes their deserialization entry points inherently vulnerable. This aligns with CWE-502 patterns where untrusted data is deserialized without proper validation
.