{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36437", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-11T22:46:33.774Z", "dateReserved": "2022-07-25T00:00:00.000Z", "datePublished": "2022-12-29T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-29T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:07:33.982Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-384", "lang": "en", "description": "CWE-384 Session Fixation"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T22:45:32.714543Z", "id": "CVE-2022-36437", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T22:46:33.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:07:33.982Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-36437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-11T22:45:32.714543Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384 Session Fixation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T22:46:27.111Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"}], "descriptions": [{"lang": "en", "value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-29T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-36437", "state": "PUBLISHED", "dateUpdated": "2025-04-11T22:46:33.774Z", "dateReserved": "2022-07-25T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-12-29T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*", "matchCriteriaId": "9AD93A64-104B-4896-A576-F0BF8A9D8874", "versionEndExcluding": "3.12.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3EB5EBCF-D752-4E18-B046-D35E4A72F567", "versionEndExcluding": "3.12.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*", "matchCriteriaId": "9CEE9CCA-A7A7-4607-A219-868977A66BE2", "versionEndExcluding": "4.1.10", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8274087A-7C77-4FF6-9D8A-1EC35EEBA79F", "versionEndExcluding": "4.1.10", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*", "matchCriteriaId": "A0425943-B0F0-445E-9DE6-B178C923AD4F", "versionEndExcluding": "4.2.6", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "80E43CED-EA47-42F7-A974-DF486138B0B0", "versionEndExcluding": "4.2.6", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*", "matchCriteriaId": "B7D1B9D0-C466-41C4-8D69-09B4CB0A015A", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6F49B2E6-5A58-4718-AB8F-C0C5A4E511C4", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:-:*:*:*", "matchCriteriaId": "6525EDE4-68AE-403C-A3F4-C818E760A1A9", "versionEndExcluding": "5.1.3", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CF83CEDB-CF27-426C-B846-DB1596627D33", "versionEndExcluding": "5.1.3", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:-:*:*:*", "matchCriteriaId": "5ADD9F81-E40B-4BB8-9422-6ED2006043D2", "versionEndExcluding": "4.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:hazelcast:hazelcast-jet:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FF545793-D052-4EFA-B74B-C6FC3DF12989", "versionEndExcluding": "4.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3."}, {"lang": "es", "value": "El controlador de conexi\u00f3n en Hazelcast y Hazelcast Jet permite que un atacante remoto no autenticado acceda y manipule datos en el cl\u00faster con la identidad de otra conexi\u00f3n ya autenticada. Las versiones de Hazelcast afectadas son la 4.0.6, 4.1.9, 4.2.5, 5.0.3 y 5.1.2. Las versiones de Hazelcast Jet afectadas son hasta la 4.5.3."}], "id": "CVE-2022-36437", "lastModified": "2025-04-11T23:15:26.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-29T23:15:09.883", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0483", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "hazelcast", "product_name": "Red Hat Fuse 7.11.1.P1", "release_date": "2023-01-26T00:00:00Z"}, {"advisory": "RHSA-2023:3954", "cpe": "cpe:/a:redhat:jboss_fuse:7", "product_name": "Red Hat Fuse 7.12", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:0661", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "hazelcast", "product_name": "Red Hat Fuse on EAP 7.11.1.P1", "release_date": "2023-02-08T00:00:00Z"}], "bugzilla": {"description": "hazelcast: Hazelcast connection caching", "id": "2162053", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162053"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-384", "details": ["The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.", "A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster."], "name": "CVE-2022-36437", "package_state": [{"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "impact": "low", "package_name": "hazelcast", "product_name": "Red Hat Integration Camel Quarkus 1"}], "public_date": "2022-12-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36437\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36437\nhttps://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"], "statement": "Red Hat Integration - Camel Quarkus Extensions: Hazelcast is contained in camel-quarkus-hazelcast but it does not affect any supported component. This package is community support only. Hence the low impact for Camel Quarkus Extension.", "threat_severity": "Critical"}

{}