CVE-2016-10750 – com.hazelcast:hazelcast

Package

Manager: maven
Name: com.hazelcast:hazelcast
Vulnerable Version: >=0 <3.11

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03848 pctl0.87743

Details

Deserialization of Untrusted Data in Hazelcast In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Metadata

Created: 2022-05-24T16:46:09Z
Modified: 2022-07-06T20:03:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jv65-pf7v-f7p8/GHSA-jv65-pf7v-f7p8.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-jv65-pf7v-f7p8
Finding: F096
Auto approve: 1