petrov-mg commented on issue #12832: URL: https://github.com/apache/ignite/issues/12832#issuecomment-4037166050
Hello @Fushuling Thank you for the interest in Apache Ignite. First of all, let's agree that the scenario you described does NOT result in remote code execution on the Ignite SERVER side. So we are talking only about CLIENT side. Could you please explain in more detail why the "victim" application is forced to use a malicious URL to connect to the Ignite cluster via JDBC? From my point of view, if this is "victim" application's own choice, then it has achieved its goal. If the "victim" application accepts arbitrary addresses and passes them to the Ignite JDBC connection, then the vulnerability most likely resides in the "victim" application itself. At first glance, this does not look like a critical product vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
