CVE-2022-36437
CRITICALHazelcast < 3.12.13 and Hazelcast Jet < 4.5.4 - Unauthenticated Session Fixation
Title source: llmDescription
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
References (1)
Core 1
Core References
Third Party Advisory
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp
Scores
CVSS v3
9.1
EPSS
0.0102
EPSS Percentile
58.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-384
Status
published
Products (6)
com.hazelcast/hazelcast
0 - 3.12.13Maven
com.hazelcast/hazelcast-enterprise
0 - 3.12.13Maven
com.hazelcast.jet/hazelcast-jet
0 - 4.5.4Maven
com.hazelcast.jet/hazelcast-jet-enterprise
0 - 4.5.4Maven
hazelcast/hazelcast
< 3.12.13 (2 CPE variants)
hazelcast/hazelcast-jet
< 4.5.4 (2 CPE variants)
Published
Dec 29, 2022
Tracked Since
Feb 18, 2026