Skip to main content

Session Fixation


Severity High
Score 9.1/10


The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The affected Hazelcast versions are through 3.12.12, 4.0 through 4.0.6, 4.1 through 4.1.9, 4.2 through 4.2.5, 5.0 through 5.0.3, and 5.1 through 5.1.2, and the affected Hazelcast Jet versions are through 4.5.3.

  • LOW
  • HIGH
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Advisory Timeline

  • Published