Missing permission checks on Hazelcast client protocol
Package
Affected versions
<=4.1.10
>= 4.2, <=4.2.8
>= 5.0, <= 5.0.5
>= 5.1, <=5.1.7
>= 5.2.0, <= 5.2.4
>= 5.3.0, < 5.3.5
Patched versions
5.2.5
5.3.5
<=4.1.10
>= 4.2, <=4.2.8
>= 5.0, <= 5.0.5
>= 5.1, <=5.1.7
>= 5.2.0, <= 5.2.4
>= 5.3.0, < 5.3.5
5.2.5
5.3.5
Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1
Workarounds
There is no known workaround.