Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04aDR4LXh2anAtdmY5Oc4AA5V1
Hazelcast Platform permission checking in CSV File Source connector
Impact
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.
Patches
Fix versions: 5.3.5, 5.4.0-BETA-1
Workaround
Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
Permalink: https://github.com/advisories/GHSA-8h4x-xvjp-vf99JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04aDR4LXh2anAtdmY5Oc4AA5V1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 2 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8h4x-xvjp-vf99, CVE-2023-45860
References:
- https://github.com/hazelcast/hazelcast/security/advisories/GHSA-8h4x-xvjp-vf99
- https://nvd.nist.gov/vuln/detail/CVE-2023-45860
- https://github.com/hazelcast/hazelcast/pull/25348
- https://github.com/hazelcast/hazelcast/commit/98be233e79cf4bc1ff3c7126a9189988bd0e87bd
- https://github.com/advisories/GHSA-8h4x-xvjp-vf99
Blast Radius: 26.1
Affected Packages
maven:com.hazelcast:hazelcast
Dependent packages: 607Dependent repositories: 10,433
Downloads:
Affected Version Ranges: >= 5.2.0, <= 5.2.4, <= 5.1.7, >= 5.3.0, <= 5.3.4
Fixed in: 5.2.5, , 5.3.5
All affected versions: 1.9.2, 1.9.3, 1.9.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1, 2.1.2, 2.1.3, 2.3.1, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.3.1, 5.3.2, 5.3.4
All unaffected versions: 5.2.5, 5.3.5, 5.3.6, 5.3.7, 5.4.0
maven:com.hazelcast:hazelcast-enterprise
Affected Version Ranges: >= 5.2.0, <= 5.2.4, <= 5.1.7, >= 5.3.0, <= 5.3.4Fixed in: 5.2.5, , 5.3.5