CVE-2023-45860: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2023-45860) was discovered in Hazelcast Platform through version 5.3.4. The vulnerability exists within the SQL mapping for the CSV File Source connector, affecting versions 5.3.0 through 5.3.4, 5.2.0 through 5.2.4, and all versions up to 5.1.7. The issue was disclosed on February 16, 2024 (GitHub Advisory).

The vulnerability stems from inadequate permission checking in the SQL mapping for the CSV File Source connector. The issue specifically involves the SqlConnector#resolveAndValidateFields functionality, which attempts to resolve field names from metadata and samples without proper permission validation. This security flaw has been assigned a CVSS v3.1 base score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability could enable unauthorized clients to access data from files stored on a member's filesystem, potentially leading to unauthorized data exposure. The impact is primarily focused on confidentiality, with no direct effect on system integrity or availability (GitHub Advisory).

The vulnerability has been patched in versions 5.3.5 and 5.2.5. As a temporary workaround, users can disable the Hazelcast Jet processing engine in the Hazelcast member configuration, though this will prevent SQL and Jet jobs from working. Organizations are strongly recommended to upgrade to the patched versions (GitHub Advisory).