PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-48977 Apache Software Foundation CVE debrief

Apache Ignite versions 2.0.0 through 2.17.0 contain a relative path traversal vulnerability (CWE-23) in the REST API. Authenticated attackers can exploit the `cmd=log` command with a specially crafted log path to read arbitrary files on the server. The vulnerability is rated HIGH severity with a CVSS score of 8.5. Apache has released version 2.18.0 to address this issue. The vulnerability was disclosed via official Apache security channels and is currently undergoing analysis in the NVD.

Vendor
Apache Software Foundation
Product
Apache Ignite
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running Apache Ignite 2.0.0-2.17.0 with REST API enabled; security teams managing distributed database infrastructure; compliance officers concerned with data exfiltration risks from database management interfaces

Technical summary

The vulnerability exists in Apache Ignite's REST API `cmd=log` command, which accepts a log file path parameter. Insufficient input validation allows authenticated users to supply relative path sequences (e.g., `../`) to traverse outside the intended log directory and read arbitrary files on the underlying file system. The attack requires valid REST API credentials but no user interaction, and can be exploited over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H) indicates high confidentiality impact with potential for high subsequent system impacts through information disclosure.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Apache Ignite to version 2.18.0 or later immediately
  • If immediate patching is not possible, restrict network access to the Ignite REST API to trusted administrative hosts only
  • Review REST API access logs for suspicious `cmd=log` requests with non-standard path parameters
  • Audit file system permissions to ensure the Ignite process runs with minimal required privileges
  • Monitor for unauthorized file access attempts through host-based intrusion detection
  • Validate that authentication mechanisms for the REST API are properly configured and not using default credentials

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, both published 2026-05-28. The affected version range (2.0.0-2.17.0) and fixed version (2.18.0) are explicitly stated in the CVE description. CVSS 4.0 vector confirms network attack vector with low attack complexity and low privileges required. The weakness is classified as CWE-23 (Relative Path Traversal) per Apache's security advisory.

Official resources

Apache Ignite disclosed this vulnerability through official security mailing lists on 2026-05-28. The issue was reported to the Apache security team and coordinated disclosure was followed with patch availability concurrent with public披露.