CVE-2022-36437: Session Fixation

December 29, 2022 (updated January 11, 2023)

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

References

github.com/advisories/GHSA-c5hg-mr8r-f6jp
github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp
nvd.nist.gov/vuln/detail/CVE-2022-36437
support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437

Detect and mitigate CVE-2022-36437 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →