Description

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Remediation

References

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Related Vulnerabilities

CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j

CVE-2020-26226 Vulnerability in npm package semantic-release

CVE-2019-19771 Vulnerability in npm package babel-laoder

CVE-2018-11788 Vulnerability in maven package org.apache.karaf.specs:org.apache.karaf.specs.java.xml

CVE-2020-5259 Vulnerability in maven package org.webjars.npm:dojox

Severity

Critical

Classification

CWE-384 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Third Party Advisory