GHSA-c5vj-wp4v-mmvx

Source

https://github.com/advisories/GHSA-c5vj-wp4v-mmvx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-c5vj-wp4v-mmvx/GHSA-c5vj-wp4v-mmvx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c5vj-wp4v-mmvx

Aliases

CVE-2023-33265

Published

2023-07-19T22:08:40Z

Modified

2024-02-16T08:10:07.875157Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

Hazelcast Executor Services don't check client permissions properly

Details

Impact

In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.

Patches

Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5

Workarounds

Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).

Database specific

{
    "nvd_published_at": "2023-07-18T16:15:11Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-19T22:08:40Z"
}

References

Affected packages

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.4

Affected versions

5.*

5.2.0

5.2.1

5.2.2

5.2.3

Database specific

{
    "last_known_affected_version_range": "<= 5.2.3"
}

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.1.7

Affected versions

5.*

5.1

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

Database specific

{
    "last_known_affected_version_range": "<= 5.1.6"
}

Maven / com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.5

Affected versions

1.*

1.5

1.5.1

1.5.2

1.5.3

1.6-RC1

1.6

1.7-RC1

1.7-RC2

1.7-RC3

1.7-RC4

1.7

1.7.1

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.9

1.9.1-RC2

1.9.1

1.9.2

1.9.2.1

1.9.2.2

1.9.2.3

1.9.3-RC

1.9.3

1.9.3.1

1.9.3.2

1.9.3.3

1.9.3.4

1.9.4-RC

1.9.4-RC1

1.9.4

1.9.4.1

1.9.4.2

1.9.4.3

1.9.4.4

1.9.4.5

1.9.4.6

1.9.4.8

2.*

2.0-RC1

2.0-RC2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1

2.1.1

2.1.2

2.1.3

2.2

2.3

2.3.1

2.4

2.4.1

2.5

2.5.1

2.6

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

3.*

3.0-RC1

3.0-RC2

3.0

3.0.1

3.0.2

3.0.3

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2-RC1

3.2-RC2

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.3-RC1

3.3-RC2

3.3-RC3

3.3

3.3-EA

3.3-EA2

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4

3.4-EA

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5

3.5-EA

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.6-RC1

3.6

3.6-EA

3.6-EA2

3.6-EA3

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.7

3.7-EA

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.8-RC1

3.8

3.8-EA

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.9

3.9-EA

3.9.1

3.9.2

3.9.3

3.9.4

3.10-BETA-1

3.10-BETA-2

3.10

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6

3.10.7

3.11-BETA-1

3.11

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.12-BETA-1

3.12-BETA-2

3.12

3.12.1

3.12.2

3.12.3

3.12.4

3.12.5

3.12.6

3.12.7

3.12.8

3.12.9

3.12.10

3.12.11

3.12.12

3.12.13

4.*

4.0-BETA-1

4.0-BETA-2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1-BETA-1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.2-BETA-1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

5.*

5.0-BETA-1

5.0-BETA-2

5.0

5.0.1

5.0.2

5.0.3

5.0.4

Database specific

{
    "last_known_affected_version_range": "<= 5.0.4"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.4

Database specific

{
    "last_known_affected_version_range": "<= 5.2.3"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.1.7

Database specific

{
    "last_known_affected_version_range": "<= 5.1.6"
}

Maven / com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.5

Database specific

{
    "last_known_affected_version_range": "<= 5.0.4"
}