Description

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Remediation

References

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Related Vulnerabilities

CVE-2023-46652 Vulnerability in maven package org.jenkins-ci.plugins:lambdatest-automation

CVE-2017-15095 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-23341 Vulnerability in npm package prismjs

CVE-2014-0113 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-16035 Vulnerability in npm package hubl-server

Severity

Critical

Classification

CWE-384 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Third Party Advisory