Description
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Remediation
References
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp
Related Vulnerabilities
CVE-2012-4449 Vulnerability in maven package org.apache.hadoop:hadoop-core
CVE-2016-8629 Vulnerability in maven package org.keycloak:keycloak-model-infinispan
CVE-2023-2138 Vulnerability in npm package @nuxtlabs/github-module
CVE-2021-23562 Vulnerability in npm package plupload
CVE-2019-16556 Vulnerability in maven package org.jenkins-ci.plugins:rundeck