[MAVEN:GHSA-C5VJ-WP4V-MMVX] Hazelcast Executor Services don't check client permissions properly
Severity
High
Affected Packages
6
Fixed Packages
6
CVEs
1
Impact
In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
Patches
Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5
Workarounds
Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).
Package | Affected Version |
---|---|
pkg:maven/com.hazelcast/hazelcast-enterprise | <= 5.0.4 |
pkg:maven/com.hazelcast/hazelcast-enterprise | >= 5.1.0, <= 5.1.6 |
pkg:maven/com.hazelcast/hazelcast-enterprise | >= 5.2.0, <= 5.2.3 |
pkg:maven/com.hazelcast/hazelcast | <= 5.0.4 |
pkg:maven/com.hazelcast/hazelcast | >= 5.1.0, <= 5.1.6 |
pkg:maven/com.hazelcast/hazelcast | >= 5.2.0, <= 5.2.3 |
Package | Fixed Version |
---|---|
pkg:maven/com.hazelcast/hazelcast-enterprise | = 5.0.5 |
pkg:maven/com.hazelcast/hazelcast-enterprise | = 5.1.7 |
pkg:maven/com.hazelcast/hazelcast-enterprise | = 5.2.4 |
pkg:maven/com.hazelcast/hazelcast | = 5.0.5 |
pkg:maven/com.hazelcast/hazelcast | = 5.1.7 |
pkg:maven/com.hazelcast/hazelcast | = 5.2.4 |
- ID
- MAVEN:GHSA-C5VJ-WP4V-MMVX
- Severity
- high
- URL
- https://github.com/advisories/GHSA-c5vj-wp4v-mmvx
- Published
-
2023-07-19T22:08:40
(14 months ago) - Modified
-
2023-11-07T05:02:48
(10 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | <= 5.0.4 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | = 5.0.5 | |||
Affected | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | >= 5.1.0 <= 5.1.6 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | = 5.1.7 | |||
Affected | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | >= 5.2.0 <= 5.2.3 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast-enterprise | com.hazelcast | hazelcast-enterprise | = 5.2.4 | |||
Affected | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | <= 5.0.4 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | = 5.0.5 | |||
Affected | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | >= 5.1.0 <= 5.1.6 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | = 5.1.7 | |||
Affected | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | >= 5.2.0 <= 5.2.3 | |||
Fixed | pkg:maven/com.hazelcast/hazelcast | com.hazelcast | hazelcast | = 5.2.4 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |