Apache Ignite prior to 1.9 allows man-in-the-middle malicious users to read arbitrary files via XXE in modified update-notifier documents.
apache ignite