CVE-2023-45860
MEDIUM6.5EPSS 0.46%Hazelcast Platform permission checking in CSV File Source connector
發布日:2024/2/16修改日:2026/3/13
描述
### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
受影響套件(2)
- Maven/com.hazelcast:hazelcast>= 5.3.0, < 5.3.5
- Maven/com.hazelcast:hazelcast-enterprise>= 5.3.0, < 5.3.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45860
- PATCHhttps://github.com/hazelcast/hazelcast
- WEBhttps://github.com/hazelcast/hazelcast/commit/98be233e79cf4bc1ff3c7126a9189988bd0e87bd
- WEBhttps://github.com/hazelcast/hazelcast/pull/25348
- WEBhttps://github.com/hazelcast/hazelcast/security/advisories/GHSA-8h4x-xvjp-vf99