CVE-2023-45860
Hazelcast Platform permission checking in CSV File Source connector
6.5
MEDIUM
CVSS 3.1
EPSS 0.46%
Description
### Impact In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem. ### Patches Fix versions: 5.3.5, 5.4.0-BETA-1 ### Workaround Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
How to fix CVE-2023-45860
To remediate CVE-2023-45860, upgrade the affected package to a fixed version below.
- —upgrade to 5.3.5 or later
- —upgrade to 5.3.5 or later
Is CVE-2023-45860 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.3.0, < 5.3.5
- >= 5.3.0, < 5.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |