CVE-2023-45859 — Missing permission checks on Hazelcast client protocol

Description

### Impact In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster. ### Patches Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1 ### Workarounds There is no known workaround.

How to fix CVE-2023-45859

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2023-45859 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 4.1.10
from 0, <= 4.1.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-45859
PATCHgithub.com/hazelcast/hazelcast
WEBgithub.com/hazelcast/hazelcast/pull/25509
WEBgithub.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66