Miggo Logo

CVE-2018-1295: Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.90114%
Published
10/16/2018
Updated
4/19/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.ignite:ignite-coremaven< 2.42.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of an allowlist during deserialization in multiple network-facing components. While specific function names and file paths aren't provided in the available data, the CVE description explicitly identifies the affected components (discovery SPI, Memcached, etc.) as deserialization endpoints. These components inherently require deserialization logic to process incoming data, and the absence of an allowlist in versions <2.4 makes their deserialization entry points inherently vulnerable. This aligns with CWE-502 patterns where untrusted data is deserialized without proper validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** I*nit* *.* or **rli*r, t** s*ri*liz*tion m****nism *o*s not **v* * list o* *l*ss*s *llow** *or s*ri*liz*tion/**s*ri*liz*tion, w*i** m*k*s it possi*l* to run *r*itr*ry *o** w**n *-r* p*rty vuln*r**l* *l*ss*s *r* pr*s*nt in I*nit* *l*ssp*t*.

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* *n *llowlist *urin* **s*ri*liz*tion in multipl* n*twork-***in* *ompon*nts. W*il* sp**i*i* *un*tion n*m*s *n* *il* p*t*s *r*n't provi*** in t** *v*il**l* **t*, t** *V* **s*ription *xpli*itly i**nti*i*s t** ****