Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNXZqLXdwNHYtbW12eM4AA0zu
Hazelcast Executor Services don't check client permissions properly
Impact
In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
Patches
Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5
Workarounds
Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).
Permalink: https://github.com/advisories/GHSA-c5vj-wp4v-mmvxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNXZqLXdwNHYtbW12eM4AA0zu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Percentage: 0.00089
EPSS Percentile: 0.39223
Identifiers: GHSA-c5vj-wp4v-mmvx, CVE-2023-33265
References:
- https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5vj-wp4v-mmvx
- https://nvd.nist.gov/vuln/detail/CVE-2023-33265
- https://github.com/hazelcast/hazelcast
- https://github.com/hazelcast/hazelcast/releases/tag/v5.0.5
- https://github.com/hazelcast/hazelcast/releases/tag/v5.1.7
- https://github.com/hazelcast/hazelcast/releases/tag/v5.2.4
- https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2023-33265
- https://github.com/advisories/GHSA-c5vj-wp4v-mmvx
Blast Radius: 30.5
Affected Packages
maven:com.hazelcast:hazelcast-enterprise
Affected Version Ranges: <= 5.0.4, >= 5.1.0, <= 5.1.6, >= 5.2.0, <= 5.2.3Fixed in: 5.0.5, 5.1.7, 5.2.4
maven:com.hazelcast:hazelcast
Dependent packages: 612Dependent repositories: 10,433
Downloads:
Affected Version Ranges: <= 5.0.4, >= 5.1.0, <= 5.1.6, >= 5.2.0, <= 5.2.3
Fixed in: 5.0.5, 5.1.7, 5.2.4
All affected versions: 1.9.2, 1.9.3, 1.9.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1, 2.1.2, 2.1.3, 2.3.1, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.0, 5.2.1, 5.2.2, 5.2.3
All unaffected versions: 5.0.5, 5.1.7, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.4.0, 5.5.0