Headline
GHSA-8h4x-xvjp-vf99: Hazelcast Platform permission checking in CSV File Source connector
Impact
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member’s filesystem.
Patches
Fix versions: 5.3.5, 5.4.0-BETA-1
Workaround
Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won’t work.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-45860
Hazelcast Platform permission checking in CSV File Source connector
Moderate severity GitHub Reviewed Published Feb 15, 2024 in hazelcast/hazelcast • Updated Feb 16, 2024
Package
maven com.hazelcast:hazelcast (Maven)
Affected versions
>= 5.3.0, <= 5.3.4
>= 5.2.0, <= 5.2.4
<= 5.1.7
maven com.hazelcast:hazelcast-enterprise (Maven)
>= 5.3.0, <= 5.3.4
>= 5.2.0, <= 5.2.4
<= 5.1.7
Impact
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member’s filesystem.
Patches
Fix versions: 5.3.5, 5.4.0-BETA-1
Workaround
Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won’t work.
References
- GHSA-8h4x-xvjp-vf99
- https://nvd.nist.gov/vuln/detail/CVE-2023-45860
- hazelcast/hazelcast#25348
- hazelcast/hazelcast@98be233
Published to the GitHub Advisory Database
Feb 16, 2024
Last updated
Feb 16, 2024