CVE-2023-45860: SQL Injection
First published: Fri Feb 16 2024(Updated: )
### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.hazelcast:hazelcast | >=5.2.0<=5.2.4 | 5.2.5 |
| maven/com.hazelcast:hazelcast-enterprise | >=5.2.0<=5.2.4 | 5.2.5 |
| maven/com.hazelcast:hazelcast | <=5.1.7 | |
| maven/com.hazelcast:hazelcast-enterprise | <=5.1.7 | |
| maven/com.hazelcast:hazelcast-enterprise | >=5.3.0<=5.3.4 | 5.3.5 |
| maven/com.hazelcast:hazelcast | >=5.3.0<=5.3.4 | 5.3.5 |
| Hazelcast | <=5.1.7 | |
| Hazelcast | >=5.2.0<5.2.5 | |
| Hazelcast | >=5.3.0<5.3.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/hazelcast/hazelcast/pull/25348
- https://github.com/hazelcast/hazelcast/security/advisories/GHSA-8h4x-xvjp-vf99
- https://nvd.nist.gov/vuln/detail/CVE-2023-45860
- https://github.com/hazelcast/hazelcast/commit/98be233e79cf4bc1ff3c7126a9189988bd0e87bd
- https://github.com/advisories/GHSA-8h4x-xvjp-vf99 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-45860?
CVE-2023-45860 is classified as a high severity vulnerability due to the potential for unauthorized data access.
How do I fix CVE-2023-45860?
To mitigate CVE-2023-45860, upgrade to Hazelcast Platform version 5.3.5 or later, or version 5.2.5 for earlier affected releases.
What systems are affected by CVE-2023-45860?
CVE-2023-45860 affects versions of Hazelcast Platform from 5.2.0 to 5.3.4, including both the Hazelcast and Hazelcast Enterprise packages.
What is the impact of CVE-2023-45860 on system security?
The impact of CVE-2023-45860 is that it allows unauthorized clients to access sensitive data stored in the filesystem of a Hazelcast member.
Where can I find more information on CVE-2023-45860?
For detailed information on CVE-2023-45860, refer to the official Hazelcast security advisories and GitHub discussions.
- agent/type
- agent/first-publish-date
- agent/references
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8h4x-xvjp-vf99
- alias/CVE-2023-45860
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/trending
- agent/source
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- package-manager/maven
- vendor/hazelcast
- canonical/hazelcast
- version/hazelcast/5.1.7
- version/hazelcast/5.2.0
- version/hazelcast/5.3.0