CVE-2016-10750: Deserialization of Untrusted Data

May 24, 2022 (updated July 6, 2022)

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

References

github.com/advisories/GHSA-jv65-pf7v-f7p8
github.com/hazelcast/hazelcast/issues/8024
github.com/hazelcast/hazelcast/pull/12230
nvd.nist.gov/vuln/detail/CVE-2016-10750

Code Behaviors & Features

Detect and mitigate CVE-2016-10750 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →