CVE-2023-45859

HIGH7.6EPSS 0.17%

Missing permission checks on Hazelcast client protocol

Published: 2/27/2024Modified: 3/13/2026

Description

### Impact In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster. ### Patches Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1 ### Workarounds There is no known workaround.

Affected packages (2)

Maven/com.hazelcast:hazelcastfrom 0, <= 4.1.10
Maven/com.hazelcast:hazelcast-allfrom 0, <= 4.1.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45859
PATCHhttps://github.com/hazelcast/hazelcast
WEBhttps://github.com/hazelcast/hazelcast/pull/25509
WEBhttps://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66