Skip to content

Missing permission checks on Hazelcast client protocol

High
kwart published GHSA-xh6m-7cr7-xx66 Feb 27, 2024

Package

maven com.hazelcast:hazelcast (Maven)

Affected versions

<=4.1.10
>= 4.2, <=4.2.8
>= 5.0, <= 5.0.5
>= 5.1, <=5.1.7
>= 5.2.0, <= 5.2.4
>= 5.3.0, < 5.3.5

Patched versions

5.2.5
5.3.5
maven com.hazelcast:hazelcast-enterprise (Maven)
<=4.1.10
>= 4.2, <=4.2.8
>= 5.0, <= 5.0.5
>= 5.1, <=5.1.7
>= 5.2.0, <= 5.2.4
>= 5.3.0, < 5.3.5
5.2.5
5.3.5

Description

Impact

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

Patches

Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1

Workarounds

There is no known workaround.

Severity

High
7.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVE ID

CVE-2023-45859

Weaknesses

No CWEs