com.hazelcast:hazelcast-client@2.6.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.hazelcast:hazelcast-client package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Deserialization of Untrusted Data

com.hazelcast:hazelcast-client is a clustering and highly scalable data distribution platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. If an attacker could reach a listening Hazelcast instance with a crafted <code>JoinRequest</code>, and vulnerable classes are also on the classpath, they could run arbitrary shell commands. Hazelcast would blindly deserialize any object it receives in that request stream.

How to fix Deserialization of Untrusted Data?

Upgrade com.hazelcast:hazelcast-client to version 3.10.1 or higher.
