CVE-2016-10750

Published: May 22, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Affected (1)

Products: Hazelcast: Hazelcast

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hazelcast Hazelcast	Before 3.11

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (6)

https://access.redhat.com/errata/RHSA-2019:2413

Source: cve@mitre.org

https://github.com/hazelcast/hazelcast/issues/8024

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://github.com/hazelcast/hazelcast/pull/12230

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:2413

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/hazelcast/hazelcast/issues/8024

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/hazelcast/hazelcast/pull/12230

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.