GHSA-c5hg-mr8r-f6jp

Source

https://github.com/advisories/GHSA-c5hg-mr8r-f6jp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c5hg-mr8r-f6jp

Aliases

CVE-2022-36437

Related

CVE-2022-36437

Published

2022-12-27T14:40:39Z

Modified

2026-01-30T00:32:14.738619Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Hazelcast connection caching

Details

Impact

The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Patches

Hazelcast Jet (and Enterprise) 4.5.4. Hazelcast IMDG (and Enterprise)3.12.13 Hazelcast IMDG (and Enterprise) 4.1.10 Hazelcast IMDG (and Enterprise) 4.2.6 Hazelcast Platform (and Enterprise) 5.1.3

Workarounds

There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.

References

https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437

Database specific

{
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2022-12-27T14:40:39Z",
    "nvd_published_at": "2022-12-29T23:15:00Z",
    "github_reviewed": true
}

References

Affected packages

Maven

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.13

Affected versions

1.*

1.5

1.5.1

1.5.2

1.5.3

1.6-RC1

1.6

1.7-RC1

1.7-RC2

1.7-RC3

1.7-RC4

1.7

1.7.1

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.9

1.9.1-RC2

1.9.1

1.9.2

1.9.2.1

1.9.2.2

1.9.2.3

1.9.3-RC

1.9.3

1.9.3.1

1.9.3.2

1.9.3.3

1.9.3.4

1.9.4-RC

1.9.4-RC1

1.9.4

1.9.4.1

1.9.4.2

1.9.4.3

1.9.4.4

1.9.4.5

1.9.4.6

1.9.4.8

2.*

2.0-RC1

2.0-RC2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1

2.1.1

2.1.2

2.1.3

2.2

2.3

2.3.1

2.4

2.4.1

2.5

2.5.1

2.6

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

3.*

3.0-RC1

3.0-RC2

3.0

3.0.1

3.0.2

3.0.3

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2-RC1

3.2-RC2

3.2

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.3-RC1

3.3-RC2

3.3-RC3

3.3

3.3-EA

3.3-EA2

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4

3.4-EA

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5

3.5-EA

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.6-RC1

3.6

3.6-EA

3.6-EA2

3.6-EA3

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8

3.7

3.7-EA

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.8-RC1

3.8

3.8-EA

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.9

3.9-EA

3.9.1

3.9.2

3.9.3

3.9.4

3.10-BETA-1

3.10-BETA-2

3.10

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6

3.10.7

3.11-BETA-1

3.11

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.12-BETA-1

3.12-BETA-2

3.12

3.12.1

3.12.2

3.12.3

3.12.4

3.12.5

3.12.6

3.12.7

3.12.8

3.12.9

3.12.10

3.12.11

3.12.12

Database specific

last_known_affected_version_range

"<= 3.12.12"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0

Last affected

4.0.6

Affected versions

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1

Fixed

4.1.10

Affected versions

4.*

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

Database specific

last_known_affected_version_range

"<= 4.1.9"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2

Fixed

4.2.6

Affected versions

4.*

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

Database specific

last_known_affected_version_range

"<= 4.2.5"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0

Fixed

5.0.4

Affected versions

5.*

5.0

5.0.1

5.0.2

5.0.3

Database specific

last_known_affected_version_range

"<= 5.0.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast

Package

Name: com.hazelcast:hazelcast; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1

Fixed

5.1.3

Affected versions

5.*

5.1

5.1.1

5.1.2

Database specific

last_known_affected_version_range

"<= 5.1.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast.jet:hazelcast-jet

Package

Name: com.hazelcast.jet:hazelcast-jet; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast.jet/hazelcast-jet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.4

Affected versions

0.*

0.3

0.3.1

0.4

0.5

0.5.1

0.6

0.6.1

0.7

0.7.1

0.7.2

3.*

3.0

3.1

3.2

3.2.1

3.2.2

4.*

4.0

4.1

4.1.1

4.2

4.3

4.3.1

4.4

4.5

4.5.1

4.5.2

4.5.3

Database specific

last_known_affected_version_range

"<= 4.5.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast.jet:hazelcast-jet-enterprise

Package

Name: com.hazelcast.jet:hazelcast-jet-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast.jet/hazelcast-jet-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.4

Database specific

last_known_affected_version_range

"<= 4.5.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.13

Database specific

last_known_affected_version_range

"<= 3.12.12"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0

Last affected

4.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1

Fixed

4.1.10

Database specific

last_known_affected_version_range

"<= 4.1.9"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2

Fixed

4.2.6

Database specific

last_known_affected_version_range

"<= 4.2.5"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0

Fixed

5.0.4

Database specific

last_known_affected_version_range

"<= 5.0.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"

com.hazelcast:hazelcast-enterprise

Package

Name: com.hazelcast:hazelcast-enterprise; View open source insights on deps.dev
Purl: pkg:maven/com.hazelcast/hazelcast-enterprise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1

Fixed

5.1.3

Database specific

last_known_affected_version_range

"<= 5.1.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5hg-mr8r-f6jp/GHSA-c5hg-mr8r-f6jp.json"