PT-2023-7546 · Hazelcast · Hazelcast
Published
2023-05-21
·
Updated
2023-06-02
·
CVE-2023-33264
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Hazelcast versions 5.0.0 through 5.0.4
Hazelcast versions 5.1.0 through 5.1.6
Hazelcast versions 5.2.0 through 5.2.3
Description
The issue is related to insufficient protection of registration data in the Hazelcast platform, which can be exploited by a remote attacker to disclose protected information. Specifically, configuration routines do not mask passwords in the member configuration properly, allowing Hazelcast Management Center users to view some secrets.
Recommendations
For Hazelcast versions 5.0.0 through 5.0.4, update to a version later than 5.0.4 to fix the issue.
For Hazelcast versions 5.1.0 through 5.1.6, update to a version later than 5.1.6 to fix the issue.
For Hazelcast versions 5.2.0 through 5.2.3, update to a version later than 5.2.3 to fix the issue.
As a temporary workaround, consider restricting access to the Hazelcast Management Center to minimize the risk of exploitation.
Fix
Insufficiently Protected Credentials
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hazelcast