GSD-2022-36437
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-36437",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"id": "GSD-2022-36437",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0483",
"https://access.redhat.com/errata/RHSA-2023:0661"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-36437"
],
"details": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"id": "GSD-2022-36437",
"modified": "2023-12-13T01:19:21.473753Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-36437",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"refsource": "MISC",
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[,4.5.4)",
"affected_versions": "All versions before 4.5.4",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"4.5.4"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8874"
],
"not_impacted": "All versions starting from 4.5.4",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet-enterprise",
"pubdate": "2022-12-29",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "0e0df047-189e-4206-976e-097aa054462c"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 4.5.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"4.5.4"
],
"identifier": "GMS-2022-8874",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8874",
"CVE-2022-36437"
],
"not_impacted": "All versions after 4.5.3",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet-enterprise",
"pubdate": "2022-12-27",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Duplicate of ./maven/com.hazelcast.jet/hazelcast-jet-enterprise/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "1a64f46a-16fb-42d0-a89a-0272e9a01870"
},
{
"affected_range": "[,4.5.4)",
"affected_versions": "All versions before 4.5.4",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"4.5.4"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8872"
],
"not_impacted": "All versions starting from 4.5.4",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet",
"pubdate": "2022-12-29",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "20e358f6-4664-4ef6-9b53-24afa765620b"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 4.5.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"4.5.4"
],
"identifier": "GMS-2022-8872",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8872",
"CVE-2022-36437"
],
"not_impacted": "All versions after 4.5.3",
"package_slug": "maven/com.hazelcast.jet/hazelcast-jet",
"pubdate": "2022-12-27",
"solution": "Upgrade to version 4.5.4 or above.",
"title": "Duplicate of ./maven/com.hazelcast.jet/hazelcast-jet/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "168fb0c2-ef22-40c2-951c-3c35aff7b383"
},
{
"affected_range": "[,3.12.13),[4.0,4.0.6],[4.1,4.1.10),[4.2,4.2.6),[5.0,5.0.4),[5.1,5.1.3)",
"affected_versions": "All versions before 3.12.13, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 before 4.1.10, all versions starting from 4.2 before 4.2.6, all versions starting from 5.0 before 5.0.4, all versions starting from 5.1 before 5.1.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-01-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8871"
],
"not_impacted": "All versions starting from 3.12.13 before 4.0, all versions after 4.0.6 before 4.1, all versions starting from 4.1.10 before 4.2, all versions starting from 4.2.6 before 5.0, all versions starting from 5.0.4 before 5.1, all versions starting from 5.1.3",
"package_slug": "maven/com.hazelcast/hazelcast-enterprise",
"pubdate": "2022-12-29",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Session Fixation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "e90538c2-3bb3-4a7b-be4f-8ea3a2813d85"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions up to 3.12.12, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 up to 4.1.9, all versions starting from 4.2 up to 4.2.5, all versions starting from 5.0 up to 5.0.3, all versions starting from 5.1 up to 5.1.2",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-12-27",
"description": "### Impact\nThe Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection\u0027s identity.\nThe affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.\nThe affected Hazelcast Jet versions are through 4.5.3.\n\n### Patches\nHazelcast Jet (and Enterprise) 4.5.4.\nHazelcast IMDG (and Enterprise)3.12.13\nHazelcast IMDG (and Enterprise) 4.1.10\nHazelcast IMDG (and Enterprise) 4.2.6\nHazelcast Platform (and Enterprise) 5.1.3\n\n### Workarounds\nThere is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.\n\n### References\nhttps://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437\n",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "GMS-2022-8871",
"identifiers": [
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8871",
"CVE-2022-36437"
],
"not_impacted": "All versions after 3.12.12 before 4.0, all versions after 4.0.6 before 4.1, all versions after 4.1.9 before 4.2, all versions after 4.2.5 before 5.0, all versions after 5.0.3 before 5.1, all versions after 5.1.2",
"package_slug": "maven/com.hazelcast/hazelcast-enterprise",
"pubdate": "2022-12-27",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Duplicate of ./maven/com.hazelcast/hazelcast-enterprise/CVE-2022-36437.yml",
"urls": [
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "07a61139-44be-44ef-a062-c8cddb1415ae"
},
{
"affected_range": "[,3.12.13),[4.0,4.0.6],[4.1,4.1.10),[4.2,4.2.6),[5.0,5.0.4),[5.1,5.1.3)",
"affected_versions": "All versions before 3.12.13, all versions starting from 4.0 up to 4.0.6, all versions starting from 4.1 before 4.1.10, all versions starting from 4.2 before 4.2.6, all versions starting from 5.0 before 5.0.4, all versions starting from 5.1 before 5.1.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2023-08-11",
"description": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.\n\n An unauthorized user is able to run protected client tasks if her connection ID is equal to an already authenticated user\u0027s existing one. The check if the client endpoint is trusted is done against a `Map\u003cConnection, ClientEndpoint\u003e`. With only the int-typed connection ID in its `equals()` method compared it\u0027s easy to bypass the check. For the attacker it\u0027s only about spending some time on opening/closing connection in a loop.",
"fixed_versions": [
"3.12.13",
"4.1.10",
"4.2.6",
"5.0.4",
"5.1.3"
],
"identifier": "CVE-2022-36437",
"identifiers": [
"CVE-2022-36437",
"GHSA-c5hg-mr8r-f6jp",
"GMS-2022-8870"
],
"not_impacted": "All versions starting from 3.12.13 before 4.0, all versions after 4.0.6 before 4.1, all versions starting from 4.1.10 before 4.2, all versions starting from 4.2.6 before 5.0, all versions starting from 5.0.4 before 5.1, all versions starting from 5.1.3",
"package_slug": "maven/com.hazelcast/hazelcast",
"pubdate": "2022-12-29",
"solution": "Upgrade to versions 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3 or above.",
"title": "Hazelcast connection caching",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437",
"https://github.com/advisories/GHSA-c5hg-mr8r-f6jp"
],
"uuid": "578144d3-8153-48f5-ae26-37f368b8eed4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.5.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.5.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12.13",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12.13",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-36437"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2
}
},
"lastModifiedDate": "2023-01-09T18:33Z",
"publishedDate": "2022-12-29T23:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…