In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.hazelcast:hazelcast(Maven) | 0 | 3.11 | N/A |
CVSS Metrics
