GHSA-c5hg-mr8r-f6jp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c5hg-mr8r-f6jp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c5hg-mr8r-f6jp
- Aliases
- Published
- 2022-12-27T14:40:39Z
- Modified
- 2023-11-08T04:10:02.822092Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Hazelcast connection caching
- Details
-
Impact
The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Patches
Hazelcast Jet (and Enterprise) 4.5.4. Hazelcast IMDG (and Enterprise)3.12.13 Hazelcast IMDG (and Enterprise) 4.1.10 Hazelcast IMDG (and Enterprise) 4.2.6 Hazelcast Platform (and Enterprise) 5.1.3
Workarounds
There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.
References
https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437
- Database specific
{ "nvd_published_at": "2022-12-29T23:15:00Z", "github_reviewed_at": "2022-12-27T14:40:39Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-384" ] }- References
Affected packages
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.13
Affected versions
1.*
1.5
1.5.1
1.5.2
1.5.3
1.6-RC1
1.6
1.7-RC1
1.7-RC2
1.7-RC3
1.7-RC4
1.7
1.7.1
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9
1.9.1-RC2
1.9.1
1.9.2
1.9.2.1
1.9.2.2
1.9.2.3
1.9.3-RC
1.9.3
1.9.3.1
1.9.3.2
1.9.3.3
1.9.3.4
1.9.4-RC
1.9.4-RC1
1.9.4
1.9.4.1
1.9.4.2
1.9.4.3
1.9.4.4
1.9.4.5
1.9.4.6
1.9.4.8
2.*
2.0-RC1
2.0-RC2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1
2.1.1
2.1.2
2.1.3
2.2
2.3
2.3.1
2.4
2.4.1
2.5
2.5.1
2.6
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
3.*
3.0-RC1
3.0-RC2
3.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.2-RC1
3.2-RC2
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3-RC1
3.3-RC2
3.3-RC3
3.3
3.3-EA
3.3-EA2
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.4
3.4-EA
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.5
3.5-EA
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.6-RC1
3.6
3.6-EA
3.6-EA2
3.6-EA3
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.7
3.7-EA
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.8-RC1
3.8
3.8-EA
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.9
3.9-EA
3.9.1
3.9.2
3.9.3
3.9.4
3.10-BETA-1
3.10-BETA-2
3.10
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6
3.10.7
3.11-BETA-1
3.11
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.12-BETA-1
3.12-BETA-2
3.12
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Maven / com.hazelcast:hazelcast
Package
- Name
- com.hazelcast:hazelcast
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast
Maven / com.hazelcast.jet:hazelcast-jet
Package
- Name
- com.hazelcast.jet:hazelcast-jet
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast.jet/hazelcast-jet
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.5.4
Maven / com.hazelcast.jet:hazelcast-jet-enterprise
Package
- Name
- com.hazelcast.jet:hazelcast-jet-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast.jet/hazelcast-jet-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise
Maven / com.hazelcast:hazelcast-enterprise
Package
- Name
- com.hazelcast:hazelcast-enterprise
- View open source insights on deps.dev
- Purl
- pkg:maven/com.hazelcast/hazelcast-enterprise