Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8h4x-xvjp-vf99: Hazelcast Platform permission checking in CSV File Source connector

Impact

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member’s filesystem.

Patches

Fix versions: 5.3.5, 5.4.0-BETA-1

Workaround

Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won’t work.

ghsa
#sql#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-45860

Hazelcast Platform permission checking in CSV File Source connector

Moderate severity GitHub Reviewed Published Feb 15, 2024 in hazelcast/hazelcast • Updated Feb 16, 2024

Package

maven com.hazelcast:hazelcast (Maven)

Affected versions

>= 5.3.0, <= 5.3.4

>= 5.2.0, <= 5.2.4

<= 5.1.7

maven com.hazelcast:hazelcast-enterprise (Maven)

>= 5.3.0, <= 5.3.4

>= 5.2.0, <= 5.2.4

<= 5.1.7

Impact

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member’s filesystem.

Patches

Fix versions: 5.3.5, 5.4.0-BETA-1

Workaround

Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won’t work.

References

  • GHSA-8h4x-xvjp-vf99
  • https://nvd.nist.gov/vuln/detail/CVE-2023-45860
  • hazelcast/hazelcast#25348
  • hazelcast/hazelcast@98be233

Published to the GitHub Advisory Database

Feb 16, 2024

Last updated

Feb 16, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames