Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jNXZqLXdwNHYtbW12eM4AA0zu

Hazelcast Executor Services don't check client permissions properly

Impact

In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.

Patches

Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5

Workarounds

Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).

Permalink: https://github.com/advisories/GHSA-c5vj-wp4v-mmvx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNXZqLXdwNHYtbW12eM4AA0zu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS Percentage: 0.00089
EPSS Percentile: 0.39223

Identifiers: GHSA-c5vj-wp4v-mmvx, CVE-2023-33265
References: Repository: https://github.com/hazelcast/hazelcast
Blast Radius: 30.5

Affected Packages

maven:com.hazelcast:hazelcast-enterprise
Affected Version Ranges: <= 5.0.4, >= 5.1.0, <= 5.1.6, >= 5.2.0, <= 5.2.3
Fixed in: 5.0.5, 5.1.7, 5.2.4
maven:com.hazelcast:hazelcast
Dependent packages: 612
Dependent repositories: 10,433
Downloads:
Affected Version Ranges: <= 5.0.4, >= 5.1.0, <= 5.1.6, >= 5.2.0, <= 5.2.3
Fixed in: 5.0.5, 5.1.7, 5.2.4
All affected versions: 1.9.2, 1.9.3, 1.9.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1, 2.1.2, 2.1.3, 2.3.1, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.0, 5.2.1, 5.2.2, 5.2.3
All unaffected versions: 5.0.5, 5.1.7, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.4.0, 5.5.0