The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
References
Link | Resource |
---|---|
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
09 Jan 2023, 18:33
Type | Values Removed | Values Added |
---|---|---|
First Time |
Hazelcast
Hazelcast hazelcast-jet Hazelcast hazelcast |
|
CWE | CWE-384 | |
CPE | cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:* cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:-:*:*:* cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:* cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:enterprise:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
References | (MISC) https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp - Third Party Advisory |
29 Dec 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-29 23:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-36437
Mitre link : CVE-2022-36437
CVE.ORG link : CVE-2022-36437
JSON object : View
Products Affected
hazelcast
- hazelcast-jet
- hazelcast
CWE
CWE-384
Session Fixation