GHSA-8h4x-xvjp-vf99

Source

https://github.com/advisories/GHSA-8h4x-xvjp-vf99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-8h4x-xvjp-vf99/GHSA-8h4x-xvjp-vf99.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8h4x-xvjp-vf99

Aliases

CVE-2023-45860

Published

2024-02-16T23:14:45Z

Modified

2024-11-06T20:02:06.800800Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Hazelcast Platform permission checking in CSV File Source connector

Details

Impact

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.

Patches

Fix versions: 5.3.5, 5.4.0-BETA-1

Workaround

Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.

Database specific

{
    "nvd_published_at": "2024-02-16T10:15:08Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-16T23:14:45Z"
}

References

Affected packages

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.5

Affected versions

5.*

5.3.0

5.3.1

5.3.2

5.3.4

Database specific

{
    "last_known_affected_version_range": "<= 5.3.4"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.5

Database specific

{
    "last_known_affected_version_range": "<= 5.3.4"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.5

Database specific

{
    "last_known_affected_version_range": "<= 5.2.4"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.1.7

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.5

Affected versions

5.*

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

Database specific

{
    "last_known_affected_version_range": "<= 5.2.4"
}

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.1.7

Affected versions

1.*

1.5

1.5.1

1.5.2

1.5.3

1.6-RC1

1.6

1.7-RC1

1.7-RC2

1.7-RC3

1.7-RC4

1.7

1.7.1

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.9

1.9.1-RC2

1.9.1

1.9.2

1.9.2.1

1.9.2.2

1.9.2.3

1.9.3-RC

1.9.3

1.9.3.1

1.9.3.2

1.9.3.3

1.9.3.4

1.9.4-RC

1.9.4-RC1

1.9.4

1.9.4.1

1.9.4.2

1.9.4.3

1.9.4.4

1.9.4.5

1.9.4.6

1.9.4.8

2.*

2.0-RC1

2.0-RC2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1

2.1.1

2.1.2

2.1.3

2.2

2.3

2.3.1

2.4

2.4.1

2.5

2.5.1

2.6

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

3.*

3.0-RC1

3.0-RC2

3.0

3.0.1

3.0.2

3.0.3

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2-RC1

3.2-RC2

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.3-RC1

3.3-RC2

3.3-RC3

3.3

3.3-EA

3.3-EA2

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4

3.4-EA

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5

3.5-EA

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.6-RC1

3.6

3.6-EA

3.6-EA2

3.6-EA3

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.7

3.7-EA

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.8-RC1

3.8

3.8-EA

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.9

3.9-EA

3.9.1

3.9.2

3.9.3

3.9.4

3.10-BETA-1

3.10-BETA-2

3.10

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6

3.10.7

3.11-BETA-1

3.11

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.12-BETA-1

3.12-BETA-2

3.12

3.12.1

3.12.2

3.12.3

3.12.4

3.12.5

3.12.6

3.12.7

3.12.8

3.12.9

3.12.10

3.12.11

3.12.12

3.12.13

4.*

4.0-BETA-1

4.0-BETA-2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1-BETA-1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.2-BETA-1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

5.*

5.0-BETA-1

5.0-BETA-2

5.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1-BETA-1

5.1

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7