CVE-2022-0265 Hazelcast in 5.1-BETA-1 released with improper restriction of XML Entity Reference in GitHub repository.

This issue should be fixed in 5.1-BETA-2, which is scheduled for release in early December. In Hazelcast 4.8, the issue will be fixed. The issue was due to the change in the structure of the XML files when the data types of the XML tags were changed from string to double. This change was necessary in order to support the new data type double.

References:

- https://hazelcast.com/docs/xsd/ddl-4.8.html
- https://hazelcast.com/blog/2018/08/11/announcing-evolution-of-elasticsearch-4.0

This issue should be fixed in 5.1-BETA-2, which is scheduled for release in early December. In Hazelcast 4.8, the issue will be fixed. The issue was due to the change in the structure of the XML files when the data types of the XML tags were changed from string to double, because it causes a NullPointerException when trying to find a specific item through an Index.

What to Do if You are Affected by the Issue?

If you are affected by the issue, please upgrade to Hazelcast 4.8-BETA-2.

Timeline

Published on: 03/03/2022 22:15:00 UTC
Last modified on: 04/29/2022 16:50:00 UTC

References

• https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748
• https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0265