Description

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Remediation

References

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Related Vulnerabilities

CVE-2022-36918 Vulnerability in maven package org.jenkins-ci.plugins:buckminster

CVE-2023-37961 Vulnerability in maven package org.jenkins-ci.plugins:assembla-auth

CVE-2021-23899 Vulnerability in maven package com.mikesamuel:json-sanitizer

CVE-2020-10705 Vulnerability in maven package io.undertow:undertow-core

CVE-2020-1745 Vulnerability in maven package io.undertow:undertow-core

Severity

Critical

Classification

CWE-384 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Third Party Advisory