CVE-2016-10750
hazelcast: java deserialization in join cluster procedure leading to remote code execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
En Hazelcast anterior de la versión 3.11, el procedimiento de apilado o agrupamiento es vulnerable a la ejecución remota de código por medio de la deserialización de Java. Si un atacante puede alcanzar una instancia de acceso a Hazelcast con un JoinRequest creado y existen clases vulnerables en el classpath, el atacante puede ejecutar un código arbitrario.
A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-05-22 CVE Reserved
- 2019-05-22 CVE Published
- 2024-05-15 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/hazelcast/hazelcast/issues/8024 | Issue Tracking | |
| https://github.com/hazelcast/hazelcast/pull/12230 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:2413 | 2019-08-08 | |
| https://access.redhat.com/security/cve/CVE-2016-10750 | 2019-08-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1713215 | 2019-08-08 |