Vulnerabilities > CVE-2016-10750 - Deserialization of Untrusted Data vulnerability in Hazelcast

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
hazelcast
CWE-502
NVD
Published: 2019-05-22
Updated: 2019-08-08

Summary

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Vulnerable Configurations

Part Description Count
Application
Hazelcast
229

Common Weakness Enumeration (CWE)

Redhat

advisories
rhsa
idRHSA-2019:2413

References