CVE-2023-45859 - Vulnerability Details - OpenCVE

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00201.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hazelcast Subscribe	Hazelcast Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:hazelcast:hazelcast::::::::
	cpe:2.3:a:hazelcast:hazelcast::::::::
	cpe:2.3:a:hazelcast:hazelcast::::::::
	cpe:2.3:a:hazelcast:hazelcast::::::::
	cpe:2.3:a:hazelcast:hazelcast::::::::
	cpe:2.3:a:hazelcast:hazelcast::::::::

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-xh6m-7cr7-xx66	Missing permission checks on Hazelcast client protocol

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/hazelcast/hazelcast/pull/25509
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66

History

Wed, 14 May 2025 00:15:00 +0900

Type	Values Removed	Values Added
First Time appeared		Hazelcast Hazelcast hazelcast
CPEs		cpe:2.3:a:hazelcast:hazelcast::::::::
Vendors & Products		Hazelcast Hazelcast hazelcast

Sat, 30 Nov 2024 02:15:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-922
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-28T00:00:00

Updated: 2024-11-29T16:42:41.602Z

Reserved: 2023-10-14T00:00:00

Link: CVE-2023-45859

Vulnrichment

Updated: 2024-08-02T20:29:32.492Z

NVD

Status : Analyzed

Published: 2024-02-28T22:15:26.070

Modified: 2025-05-13T14:52:22.837

Link: CVE-2023-45859

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-922

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-45859", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-29T16:42:41.602Z", "dateReserved": "2023-10-14T00:00:00", "datePublished": "2024-02-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-28T22:00:24.680854"}, "descriptions": [{"lang": "en", "value": "In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hazelcast/hazelcast/pull/25509"}, {"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-922", "lang": "en", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-01T18:45:07.416874Z", "id": "CVE-2023-45859", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T16:42:41.602Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.492Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/hazelcast/hazelcast/pull/25509", "tags": ["x_transferred"]}, {"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/hazelcast/hazelcast/pull/25509", "tags": ["x_transferred"]}, {"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.492Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-45859", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-01T18:45:07.416874Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:14.574Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/hazelcast/hazelcast/pull/25509"}, {"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66"}], "descriptions": [{"lang": "en", "value": "In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-28T22:00:24.680854"}}}, "cveMetadata": {"cveId": "CVE-2023-45859", "state": "PUBLISHED", "dateUpdated": "2024-11-29T16:42:41.602Z", "dateReserved": "2023-10-14T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-02-28T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A27DC77-9472-4170-A7D0-CAF88A8ED742", "versionEndIncluding": "4.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAEC1A2F-E2E2-40A6-9366-1127CB335BF0", "versionEndIncluding": "4.2.8", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "C03C4EBA-6110-4BE7-AEAD-D0B844D68EF5", "versionEndIncluding": "5.0.5", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "B34E82BE-949F-464C-B2D9-8E7C69BD3636", "versionEndIncluding": "5.1.7", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "46B51F89-569F-415E-A84E-CF8240D57D2A", "versionEndExcluding": "5.2.5", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BAF02F2-6A4D-40D1-AFBB-F152327FECE7", "versionEndExcluding": "5.3.5", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster."}, {"lang": "es", "value": "En Hazelcast hasta 4.1.10, 4.2 hasta 4.2.8, 5.0 hasta 5.0.5, 5.1 hasta 5.1.7, 5.2 hasta 5.2.4 y 5.3 hasta 5.3.2, algunas operaciones de cliente no verifican los permisos correctamente, lo que permite a los usuarios autenticados acceder a los datos almacenados en el cl\u00faster."}], "id": "CVE-2023-45859", "lastModified": "2025-05-13T14:52:22.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-28T22:15:26.070", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/hazelcast/hazelcast/pull/25509"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/hazelcast/hazelcast/pull/25509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}