Description
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Scores
CVSS v3
9.1
EPSS
0.0037
EPSS Percentile
59.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-384
Status
published
Products (6)
com.hazelcast/hazelcast
0 - 3.12.13Maven
com.hazelcast/hazelcast-enterprise
0 - 3.12.13Maven
com.hazelcast.jet/hazelcast-jet
0 - 4.5.4Maven
com.hazelcast.jet/hazelcast-jet-enterprise
0 - 4.5.4Maven
hazelcast/hazelcast
< 3.12.13 (2 CPE variants)
hazelcast/hazelcast-jet
< 4.5.4 (2 CPE variants)
Published
Dec 29, 2022
Tracked Since
Feb 18, 2026