CVE-2023-45860 – com.hazelcast:hazelcast

Package

Manager: maven
Name: com.hazelcast:hazelcast
Vulnerable Version: >=5.3.0 <5.3.5 || >=5.2.0 <5.2.5 || >=0 <=5.1.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00459 pctl0.63143

Details

Hazelcast Platform permission checking in CSV File Source connector ### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.

Metadata

Created: 2024-02-16T23:14:45Z
Modified: 2024-11-06T19:52:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-8h4x-xvjp-vf99/GHSA-8h4x-xvjp-vf99.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-8h4x-xvjp-vf99
Finding: F106
Auto approve: 1