Hazelcast 5.0.0-5.2.3 ExecSvc Perm Check Bypass
CVE-2023-33265 Published on July 18, 2023
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
Products Associated with CVE-2023-33265
stack.watch emails you whenever new vulnerabilities are published in Hazelcast Imdg or Hazelcast. Just hit a watch button to start following.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-33265
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.hazelcast:hazelcast | >= 5.2.0, <= 5.2.3 | 5.2.4 |
| maven | com.hazelcast:hazelcast | >= 5.1.0, <= 5.1.6 | 5.1.7 |
| maven | com.hazelcast:hazelcast | <= 5.0.4 | 5.0.5 |
| maven | com.hazelcast:hazelcast-enterprise | >= 5.2.0, <= 5.2.3 | 5.2.4 |
| maven | com.hazelcast:hazelcast-enterprise | >= 5.1.0, <= 5.1.6 | 5.1.7 |
| maven | com.hazelcast:hazelcast-enterprise | <= 5.0.4 | 5.0.5 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.