CVE-2017-7686: Apache Ignite communicates to an external PHP server where sensitive information is sent

October 16, 2018 (updated November 22, 2024)

Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some of the properties might contain user sensitive information.

References

github.com/advisories/GHSA-8p83-68cw-943f
nvd.nist.gov/vuln/detail/CVE-2017-7686

Code Behaviors & Features

Detect and mitigate CVE-2017-7686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →