Description

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Remediation

References

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Related Vulnerabilities

CVE-2019-18212 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.emmet

CVE-2022-42467 Vulnerability in maven package org.apache.isis.core:isis-core-config

CVE-2020-13692 Vulnerability in maven package org.postgresql:postgresql

CVE-2020-2304 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2017-16028 Vulnerability in npm package react-native-meteor-oauth

Severity

Critical

Classification

CWE-384 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Third Party Advisory