CVE-2023-45859

HIGH7.6EPSS 0.17%

Missing permission checks on Hazelcast client protocol

發布日:2024/2/27修改日:2026/3/13

描述

### Impact In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster. ### Patches Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1 ### Workarounds There is no known workaround.

受影響套件(2)

Maven/com.hazelcast:hazelcastfrom 0, <= 4.1.10
Maven/com.hazelcast:hazelcast-allfrom 0, <= 4.1.10

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45859
PATCHhttps://github.com/hazelcast/hazelcast
WEBhttps://github.com/hazelcast/hazelcast/pull/25509
WEBhttps://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66