{ "schema_version": "1.4.0", "id": "GHSA-xh6m-7cr7-xx66", "modified": "2025-05-30T12:36:04Z", "published": "2024-02-27T21:54:15Z", "aliases": [ "CVE-2023-45859" ], "summary": "Missing permission checks on Hazelcast client protocol", "details": "### Impact\nIn Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.\n\n### Patches\nFix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1\n\n### Workarounds\nThere is no known workaround.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.1.10" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.2" }, { "last_affected": "4.2.8" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.0" }, { "last_affected": "5.0.5" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.1" }, { "last_affected": "5.1.7" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.2.0" }, { "fixed": "5.2.5" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 5.2.4" } }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.3.0" }, { "fixed": "5.3.5" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast-all" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.1.10" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.hazelcast:hazelcast-all" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.2" }, { "last_affected": "4.2.8" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45859" }, { "type": "WEB", "url": "https://github.com/hazelcast/hazelcast/pull/25509" }, { "type": "PACKAGE", "url": "https://github.com/hazelcast/hazelcast" } ], "database_specific": { "cwe_ids": [ "CWE-281", "CWE-922" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-27T21:54:15Z", "nvd_published_at": "2024-02-28T22:15:26Z" } }