Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way.
This issue affects Apache Ignite: from 2.0.0 through 2.17.0.
Users are recommended to upgrade to version 2.18.0, which fixes the issue.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-v45h-mqf4-6939 | Apache Ignite REST API Has a Relative Path Traversal Vulnerability |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Fri, 29 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apache
Apache ignite |
|
| CPEs | cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Apache
Apache ignite |
|
| Metrics |
cvssV3_1
|
Thu, 28 May 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
ssvc
|
Thu, 28 May 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Thu, 28 May 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 28 May 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue. | |
| Title | Apache Ignite: REST HTTP arbitrary file read vulnerability | |
| Weaknesses | CWE-23 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-05-28T12:59:14.937Z
Reserved: 2025-05-29T07:39:39.245Z
Link: CVE-2025-48977
Updated: 2026-05-28T11:12:28.796Z
Status : Analyzed
Published: 2026-05-28T10:16:23.423
Modified: 2026-06-17T09:30:36.040
Link: CVE-2025-48977
No data.
OpenCVE Enrichment
Updated: 2026-05-30T21:19:18Z
Github GHSA