CVE-2023-45859

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

Published: Feb 28, 2024
Updated: May 4, 2025
CVE: CVE-2023-45859
GHSA: GHSA-xh6m-7cr7-xx66
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWEs:

CWE-281

Affected Software
References

Software	From	Fixed in
com.hazelcast / hazelcast	-	4.1.10.x
com.hazelcast / hazelcast	4.2	4.2.8.x
com.hazelcast / hazelcast	5.0	5.0.5.x
com.hazelcast / hazelcast	5.1	5.1.7.x
com.hazelcast / hazelcast	5.2.0	5.2.5
com.hazelcast / hazelcast	5.3.0	5.3.5
hazelcast / hazelcast	5.2.0	5.2.5
hazelcast / hazelcast	5.3.0	5.3.5
hazelcast / hazelcast	-	4.1.10.x
hazelcast / hazelcast	4.2.0	4.2.8.x
hazelcast / hazelcast	5.0.0	5.0.5.x
hazelcast / hazelcast	5.1.0	5.1.7.x

https://github.com/hazelcast/hazelcast/pull/25509
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66

Vulnerability Database

289,697

CVE-2023-45859