Missing permission checks on Hazelcast client protocol
Package
Affected versions
<= 4.1.10
>= 4.2, <= 4.2.8
>= 5.0, <= 5.0.5
>= 5.1, <= 5.1.7
>= 5.2.0, <= 5.2.4
>= 5.3.0, < 5.3.5
Patched versions
5.2.5
5.3.5
Description
Published to the GitHub Advisory Database
Feb 27, 2024
Reviewed
Feb 27, 2024
Published by the National Vulnerability Database
Feb 28, 2024
Last updated
Dec 2, 2024
Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1
Workarounds
There is no known workaround.
References