Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04aDR4LXh2anAtdmY5Oc4AA5V1

Hazelcast Platform permission checking in CSV File Source connector

Impact

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.

Patches

Fix versions: 5.3.5, 5.4.0-BETA-1

Workaround

Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.

Permalink: https://github.com/advisories/GHSA-8h4x-xvjp-vf99
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04aDR4LXh2anAtdmY5Oc4AA5V1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: about 2 months ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-8h4x-xvjp-vf99, CVE-2023-45860
References: Repository: https://github.com/hazelcast/hazelcast
Blast Radius: 26.1

Affected Packages

maven:com.hazelcast:hazelcast
Dependent packages: 607
Dependent repositories: 10,433
Downloads:
Affected Version Ranges: >= 5.2.0, <= 5.2.4, <= 5.1.7, >= 5.3.0, <= 5.3.4
Fixed in: 5.2.5, , 5.3.5
All affected versions: 1.9.2, 1.9.3, 1.9.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1, 2.1.2, 2.1.3, 2.3.1, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.3.1, 5.3.2, 5.3.4
All unaffected versions: 5.2.5, 5.3.5, 5.3.6, 5.3.7, 5.4.0
maven:com.hazelcast:hazelcast-enterprise
Affected Version Ranges: >= 5.2.0, <= 5.2.4, <= 5.1.7, >= 5.3.0, <= 5.3.4
Fixed in: 5.2.5, , 5.3.5