9.1
CVE-2022-36437
- EPSS 0.37%
- Veröffentlicht 29.12.2022 23:15:09
- Zuletzt bearbeitet 11.04.2025 23:15:26
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginThe Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hazelcast ≫ Hazelcast-jet SwEdition- Version < 4.5.4
Hazelcast ≫ Hazelcast-jet SwEditionenterprise Version < 4.5.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.585 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.