CVE-2023-33265 – com.hazelcast:hazelcast-enterprise

Package

Manager: maven
Name: com.hazelcast:hazelcast-enterprise
Vulnerable Version: >=5.2.0 <5.2.4 || >=5.1.0 <5.1.7 || >=0 <5.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00172 pctl0.38977

Details

Hazelcast Executor Services don't check client permissions properly ### Impact In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. ### Patches Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5 ### Workarounds Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).

Metadata

Created: 2023-07-19T22:08:40Z
Modified: 2023-07-19T22:08:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-c5vj-wp4v-mmvx/GHSA-c5vj-wp4v-mmvx.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-c5vj-wp4v-mmvx
Finding: F039
Auto approve: 1