CVE-2023-45859: Missing permission checks on Hazelcast client protocol

February 27, 2024 (updated May 30, 2025)

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don’t check permissions properly, allowing authenticated users to access data stored in the cluster.

References

github.com/advisories/GHSA-xh6m-7cr7-xx66
github.com/hazelcast/hazelcast
github.com/hazelcast/hazelcast/pull/25509
github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66
nvd.nist.gov/vuln/detail/CVE-2023-45859

Code Behaviors & Features

Detect and mitigate CVE-2023-45859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →