CVE-2023-45860
MEDIUM6.5EPSS 0.46%Hazelcast Platform permission checking in CSV File Source connector
Published: 2/16/2024Modified: 3/13/2026
Description
### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
Affected packages (2)
- Maven/com.hazelcast:hazelcast>= 5.3.0, < 5.3.5
- Maven/com.hazelcast:hazelcast-enterprise>= 5.3.0, < 5.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45860
- PATCHhttps://github.com/hazelcast/hazelcast
- WEBhttps://github.com/hazelcast/hazelcast/commit/98be233e79cf4bc1ff3c7126a9189988bd0e87bd
- WEBhttps://github.com/hazelcast/hazelcast/pull/25348
- WEBhttps://github.com/hazelcast/hazelcast/security/advisories/GHSA-8h4x-xvjp-vf99