Vulnerabilities > CVE-2016-10750 - Deserialization of Untrusted Data vulnerability in Hazelcast

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Vulnerable Configurations

Part Description Count
Application
Hazelcast
134

Common Weakness Enumeration (CWE)

Redhat

advisories
rhsa
idRHSA-2019:2413