{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-08T12:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/hazelcast/hazelcast/issues/8024"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hazelcast/hazelcast/pull/12230"}, {"name": "RHSA-2019:2413", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2413"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-10750", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hazelcast/hazelcast/issues/8024", "refsource": "MISC", "url": "https://github.com/hazelcast/hazelcast/issues/8024"}, {"name": "https://github.com/hazelcast/hazelcast/pull/12230", "refsource": "MISC", "url": "https://github.com/hazelcast/hazelcast/pull/12230"}, {"name": "RHSA-2019:2413", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2413"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:30:20.142Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hazelcast/hazelcast/issues/8024"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hazelcast/hazelcast/pull/12230"}, {"name": "RHSA-2019:2413", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2413"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-10750", "datePublished": "2019-05-22T13:40:06", "dateReserved": "2019-05-22T00:00:00", "dateUpdated": "2024-08-06T03:30:20.142Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D207CCB-8DD3-4DB8-87B9-7766D37E98E3", "versionEndExcluding": "3.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code."}, {"lang": "es", "value": "En Hazelcast anterior de la versi\u00f3n 3.11, el procedimiento de apilado o agrupamiento es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo por medio de la deserializaci\u00f3n de Java. Si un atacante puede alcanzar una instancia de acceso a Hazelcast con un JoinRequest creado y existen clases vulnerables en el classpath, el atacante puede ejecutar un c\u00f3digo arbitrario."}], "id": "CVE-2016-10750", "lastModified": "2019-08-08T13:15:10.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-22T14:29:00.223", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2413"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/hazelcast/hazelcast/issues/8024"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/hazelcast/hazelcast/pull/12230"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:2413", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "hazelcast", "product_name": "Red Hat Fuse 7.4.0", "release_date": "2019-08-08T00:00:00Z"}], "bugzilla": {"description": "hazelcast: java deserialization in join cluster procedure leading to remote code execution", "id": "1713215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1713215"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.", "A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization."], "name": "CVE-2016-10750", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "hazelcast", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "package_name": "hazelcast", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2016-04-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-10750\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-10750"], "statement": "The module vertx-hazelcast is not supported in Red Hat OpenShift Application Runtimes (RHOAR) products.", "threat_severity": "Important"}