CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
38.4%
com.hazelcast:hazelcast is vulnerable to Authorization Bypasses. The vulnerability is due to not enforcing correct permissions when clients invoke the ScheduledExecutorService
proxy which allows an authenticated attacker to bypass the authorization mechanisms and execute tasks on members without the required permissions.
github.com/advisories/GHSA-c5vj-wp4v-mmvx
github.com/hazelcast/hazelcast
github.com/hazelcast/hazelcast/commit/407f10bec603a1b1cb1b042b2732c656c533fe2c
github.com/hazelcast/hazelcast/commit/5a452df41dd8ebd2497992214976894165856796
github.com/hazelcast/hazelcast/commit/b00a04a3e8303fd6bafba72b3c0dbaf45bd7e56c
github.com/hazelcast/hazelcast/pull/24271
github.com/hazelcast/hazelcast/releases/tag/v5.0.5
github.com/hazelcast/hazelcast/releases/tag/v5.1.7
github.com/hazelcast/hazelcast/releases/tag/v5.2.4
support.hazelcast.com/s/article/Security-Advisory-for-CVE-2023-33265