CVE-2023-45859: Missing permission checks on Hazelcast client protocol

February 27, 2024

Impact

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don’t check permissions properly, allowing authenticated users to access data stored in the cluster.

Patches

Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1

Workarounds

There is no known workaround.

References

github.com/advisories/GHSA-xh6m-7cr7-xx66
github.com/hazelcast/hazelcast
github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66
nvd.nist.gov/vuln/detail/CVE-2023-45859

Detect and mitigate CVE-2023-45859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →