CVE-2022-36437

Published: Dec 29, 2022Modified: Apr 11, 2025

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Affected (12)

Products: Hazelcast: Hazelcast, Hazelcast Jet

Hazelcast

2 products

Hazelcast

Hazelcast Jet

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Hazelcast Hazelcast	Before 3.12.13
Hazelcast Hazelcast	From 4.0.0 to 4.1.10
Hazelcast Hazelcast	From 4.2.0 to 4.2.6
Hazelcast Hazelcast	From 5.0.0 to 5.0.4
Hazelcast Hazelcast	From 5.1.0 to 5.1.3
Hazelcast Hazelcast	Before 3.12.13
Hazelcast Hazelcast	From 4.0.0 to 4.1.10
Hazelcast Hazelcast	From 4.2.0 to 4.2.6
Hazelcast Hazelcast	From 5.0.0 to 5.0.4
Hazelcast Hazelcast	From 5.1.0 to 5.1.3
Hazelcast Hazelcast Jet	Before 4.5.4
Hazelcast Hazelcast Jet	Before 4.5.4

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (2)

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Source: cve@mitre.org

Third Party Advisory

https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.