gsd-2022-36437
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-36437",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"id": "GSD-2022-36437",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0483",
"https://access.redhat.com/errata/RHSA-2023:0661"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-36437"
],
"details": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"id": "GSD-2022-36437",
"modified": "2023-12-13T01:19:21.473753Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-36437",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"refsource": "MISC",
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[,4.5.4)",
"affected_versions": "All versions before 4.5.4",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"4.5.4"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8874"
],
"not_impacted": "All versions starting from 4.5.4",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet-enterprise",
"pubdate": "2022-12-29",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "0e0df047-189e-4206-976e-097aa054462c"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 4.5.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"4.5.4"
],
"identifier": "GMS-2022-8874",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8874",
"CVE-2022-36437"
],
"not_impacted": "All versions after 4.5.3",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet-enterprise",
"pubdate": "2022-12-27",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Duplicate of ./maven/com.hazelcast.jet/hazelcast-jet-enterprise/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "1a64f46a-16fb-42d0-a89a-0272e9a01870"
},
{
"affected_range": "[,4.5.4)",
"affected_versions": "All versions before 4.5.4",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"4.5.4"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8872"
],
"not_impacted": "All versions starting from 4.5.4",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet",
"pubdate": "2022-12-29",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "20e358f6-4664-4ef6-9b53-24afa765620b"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 4.5.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"4.5.4"
],
"identifier": "GMS-2022-8872",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8872",
"CVE-2022-36437"
],
"not_impacted": "All versions after 4.5.3",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet",
"pubdate": "2022-12-27",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Duplicate of ./maven/com.hazelcast.jet/hazelcast-jet/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "168fb0c2-ef22-40c2-951c-3c35aff7b383"
},
{
"affected_range": "[,3.12.13),[4.0,4.0.6],[4.1,4.1.10),[4.2,4.2.6),[5.0,5.0.4),[5.1,5.1.3)",
"affected_versions": "All versions before 3.12.13, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 before 4.1.10, all versions starting from 4.2 before 4.2.6, all versions starting from 5.0 before 5.0.4, all versions starting from 5.1 before 5.1.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8871"
],
"not_impacted": "All versions starting from 3.12.13 before 4.0, all versions after 4.0.6 before 4.1, all versions starting from 4.1.10 before 4.2, all versions starting from 4.2.6 before 5.0, all versions starting from 5.0.4 before 5.1, all versions starting from 5.1.3",
"package_slug": "maven/com.hazelcast/hazelcast-enterprise",
"pubdate": "2022-12-29",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "e90538c2-3bb3-4a7b-be4f-8ea3a2813d85"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 3.12.12, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 up to 4.1.9, all versions starting from 4.2 up to 4.2.5, all versions starting from 5.0 up to 5.0.3, all versions starting from 5.1 up to 5.1.2",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "GMS-2022-8871",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8871",
"CVE-2022-36437"
],
"not_impacted": "All versions after 3.12.12 before 4.0, all versions after 4.0.6 before 4.1, all versions after 4.1.9 before 4.2, all versions after 4.2.5 before 5.0, all versions after 5.0.3 before 5.1, all versions after 5.1.2",
"package_slug": "maven/com.hazelcast/hazelcast-enterprise",
"pubdate": "2022-12-27",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Duplicate of ./maven/com.hazelcast/hazelcast-enterprise/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "07a61139-44be-44ef-a062-c8cddb1415ae"
},
{
"affected_range": "[,3.12.13),[4.0,4.0.6],[4.1,4.1.10),[4.2,4.2.6),[5.0,5.0.4),[5.1,5.1.3)",
"affected_versions": "All versions before 3.12.13, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 before 4.1.10, all versions starting from 4.2 before 4.2.6, all versions starting from 5.0 before 5.0.4, all versions starting from 5.1 before 5.1.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-08-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.\n\n An unauthorized user is able to run protected client tasks if her connection ID is equal to an already authenticated user\u0027s existing one. The check if the client endpoint is trusted is done against a `Map\u003cConnection, ClientEndpoint\u003e`. With only the int-typed connection ID in its `equals()` method compared it\u0027s easy to bypass the check. For the attacker it\u0027s only about spending some time on opening/closing connection in a loop.",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8870"
],
"not_impacted": "All versions starting from 3.12.13 before 4.0, all versions after 4.0.6 before 4.1, all versions starting from 4.1.10 before 4.2, all versions starting from 4.2.6 before 5.0, all versions starting from 5.0.4 before 5.1, all versions starting from 5.1.3",
"package_slug": "maven/com.hazelcast/hazelcast",
"pubdate": "2022-12-29",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Hazelcast connection caching",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "578144d3-8153-48f5-ae26-37f368b8eed4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.5.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.5.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12.13",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12.13",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-36437"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2
}
},
"lastModifiedDate": "2023-01-09T18:33Z",
"publishedDate": "2022-12-29T23:15Z"
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.