com.hazelcast:hazelcast 3.12-BETA-2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.hazelcast:hazelcast package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Authorization com.hazelcast:hazelcast is a clustering and highly scalable data distribution platform. Affected versions of this package are vulnerable to Improper Authorization due to missing permission checks on the Hazelcast client protocol. Authenticated users can access data stored in the cluster by exploiting this oversight. How to fix Improper Authorization? Upgrade `com.hazelcast:hazelcast` to version 5.2.5, 5.3.5 or higher.	[,5.2.5)[5.3.0,5.3.5)
M Improper Access Control com.hazelcast:hazelcast is a clustering and highly scalable data distribution platform. Affected versions of this package are vulnerable to Improper Access Control due to inadequate permission checking, within the SQL mapping for the `CSV File Source` connector. This could enable unauthorized clients to access data from files stored on a member's filesystem. How to fix Improper Access Control? Upgrade `com.hazelcast:hazelcast` to version 5.2.5, 5.3.5 or higher.	[,5.2.5)[5.3.0,5.3.5)
C Improper Authentication com.hazelcast:hazelcast is a clustering and highly scalable data distribution platform. Affected versions of this package are vulnerable to Improper Authentication in the `TcpServerConnection.equals()` function used for connection caching, which allows unauthenticated attackers to use another user's authenticated connection to read and modify data in the cluster. How to fix Improper Authentication? Upgrade `com.hazelcast:hazelcast` to version 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or higher.	[,3.12.13)[4.0,4.1.10)[4.2,4.2.6)[5.0,5.0.4)[5.1,5.1.3)
C Deserialization of Untrusted Data com.hazelcast:hazelcast is a clustering and highly scalable data distribution platform. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The deserialization filter doesn't properly protect against vulnerable Externalizable classes and Deadlock in Map index. How to fix Deserialization of Untrusted Data? Upgrade `com.hazelcast:hazelcast` to version 3.12.2 or higher.	[,3.12.2)
M XML External Entity (XXE) Injection com.hazelcast:hazelcast is a clustering and highly scalable data distribution platform. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It does not validate the XML transforming, leading to potential XXE. How to fix XML External Entity (XXE) Injection? Upgrade `com.hazelcast:hazelcast` to version 3.12.11, 4.1 or higher.	[1.9.4-RC,3.12.11)[4.0.0,4.1)

Vulnerability

Vulnerable Version

Improper Authorization