CVE-2022-0265

Name of the Vulnerable Software and Affected Versions hazelcast/hazelcast versions 5.1-BETA-1 through 5.1

Description The issue is related to an improper restriction of XML external entity references, allowing for XXE attacks. The AbstractXmlConfigRootTagRecognizer() function uses a SAXParser generated from a SAXParserFactory with no FEATURE SECURE PROCESSING set. This enables potential exploitation.

Recommendations For versions 5.1-BETA-1 through 5.1, update to version 5.1 or later to resolve the issue. As a temporary workaround, consider setting FEATURE SECURE PROCESSING in the SAXParserFactory to prevent XXE attacks.