CVE-2023-33264
Description
Hazelcast member configuration fails to mask passwords, allowing Management Center users to view secrets in exposed configuration output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hazelcast member configuration fails to mask passwords, allowing Management Center users to view secrets in exposed configuration output.
Vulnerability
Description
The Hazelcast ConfigXmlGenerator class does not properly mask sensitive fields such as passwords when generating XML configuration output. This flaw affects Hazelcast versions through 5.0.4, 5.1.x up to 5.1.6, and 5.2.x up to 5.2.3 [1][2]. The configuration routines fail to apply masking to certain fields, leaving credentials exposed in the generated configuration data.
Exploitation
An attacker with access to Hazelcast Management Center—which has read access to member configurations—can view the unmasked passwords. The vulnerability is triggered when the Management Center retrieves the member configuration, as the masking logic is incomplete [1][4]. No authentication bypass is required; the attacker must already have Management Center access.
Impact
Exposed secrets include LDAP authentication passwords, system user passwords, and other sensitive credentials. This could enable an attacker to escalate privileges, access external systems, or compromise the Hazelcast cluster further [1][2].
Mitigation
The issue was addressed in pull request #24266, which extends the set of masked fields in ConfigXmlGenerator [2][4]. Users should upgrade to patched versions: 5.0.5, 5.1.7, 5.2.4, or later. No workaround is available; upgrading is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.hazelcast:hazelcastMaven | >= 4.0-BETA-1, <= 4.2.8 | — |
com.hazelcast:hazelcastMaven | >= 5.0-BETA-1, < 5.0.5 | 5.0.5 |
com.hazelcast:hazelcastMaven | >= 5.1-BETA-1, < 5.1.6 | 5.1.6 |
com.hazelcast:hazelcastMaven | >= 5.2-BETA-1, < 5.2.4 | 5.2.4 |
com.hazelcast:hazelcastMaven | >= 5.3.0-BETA-1, < 5.3.0 | 5.3.0 |
Affected products
2Patches
174eed86c2b2bExtend set of masked fields in ConfigXmlGenerator [HZ-2289] (#24266)
2 files changed · +22 −7
hazelcast/src/main/java/com/hazelcast/config/ConfigXmlGenerator.java+8 −5 modified@@ -208,6 +208,9 @@ public String generate(Config config) { } private String getOrMaskValue(String value) { + if (value == null) { + return null; + } return maskSensitiveFields ? MASK_FOR_SENSITIVE_DATA : value; } @@ -322,7 +325,7 @@ private static void tlsAuthenticationGenerator(XmlGenerator gen, TlsAuthenticati .close(); } - private static void ldapAuthenticationGenerator(XmlGenerator gen, LdapAuthenticationConfig c) { + private void ldapAuthenticationGenerator(XmlGenerator gen, LdapAuthenticationConfig c) { if (c == null) { return; } @@ -339,7 +342,7 @@ private static void ldapAuthenticationGenerator(XmlGenerator gen, LdapAuthentica .nodeIfContents("role-search-scope", c.getRoleSearchScope()) .nodeIfContents("user-name-attribute", c.getUserNameAttribute()) .nodeIfContents("system-user-dn", c.getSystemUserDn()) - .nodeIfContents("system-user-password", c.getSystemUserPassword()) + .nodeIfContents("system-user-password", getOrMaskValue(c.getSystemUserPassword())) .nodeIfContents("system-authentication", c.getSystemAuthentication()) .nodeIfContents("security-realm", c.getSecurityRealm()) .nodeIfContents("password-attribute", c.getPasswordAttribute()) @@ -350,7 +353,7 @@ private static void ldapAuthenticationGenerator(XmlGenerator gen, LdapAuthentica .close(); } - private static void kerberosAuthenticationGenerator(XmlGenerator gen, KerberosAuthenticationConfig c) { + private void kerberosAuthenticationGenerator(XmlGenerator gen, KerberosAuthenticationConfig c) { if (c == null) { return; } @@ -365,14 +368,14 @@ private static void kerberosAuthenticationGenerator(XmlGenerator gen, KerberosAu kerberosGen.close(); } - private static void simpleAuthenticationGenerator(XmlGenerator gen, SimpleAuthenticationConfig c) { + private void simpleAuthenticationGenerator(XmlGenerator gen, SimpleAuthenticationConfig c) { if (c == null) { return; } XmlGenerator simpleGen = gen.open("simple"); addClusterLoginElements(simpleGen, c).nodeIfContents("role-separator", c.getRoleSeparator()); for (String username : c.getUsernames()) { - simpleGen.open("user", "username", username, "password", c.getPassword(username)); + simpleGen.open("user", "username", username, "password", getOrMaskValue(c.getPassword(username))); for (String role : c.getRoles(username)) { simpleGen.node("role", role); }
hazelcast/src/test/java/com/hazelcast/config/ConfigXmlGeneratorTest.java+14 −2 modified@@ -108,8 +108,15 @@ public void testIfSensitiveDataIsMasked_whenMaskingEnabled() { cfg.getNetworkConfig().setSymmetricEncryptionConfig(symmetricEncryptionConfig); cfg.setLicenseKey("HazelcastLicenseKey"); + cfg.getSecurityConfig().addRealmConfig("simple", + new RealmConfig().setSimpleAuthenticationConfig(new SimpleAuthenticationConfig().addUser("test", "pass")) + .setUsernamePasswordIdentityConfig("myidentity", "mypasswd")) + .addRealmConfig("ldap", new RealmConfig().setLdapAuthenticationConfig( + new LdapAuthenticationConfig().setSystemUserDn("cn=test").setSystemUserPassword("ldappass"))); + Config newConfigViaXMLGenerator = getNewConfigViaXMLGenerator(cfg); SSLConfig generatedSSLConfig = newConfigViaXMLGenerator.getNetworkConfig().getSSLConfig(); + SecurityConfig secCfg = newConfigViaXMLGenerator.getSecurityConfig(); assertEquals(MASK_FOR_SENSITIVE_DATA, generatedSSLConfig.getProperty("keyStorePassword")); assertEquals(MASK_FOR_SENSITIVE_DATA, generatedSSLConfig.getProperty("trustStorePassword")); @@ -119,6 +126,11 @@ public void testIfSensitiveDataIsMasked_whenMaskingEnabled() { assertEquals(MASK_FOR_SENSITIVE_DATA, secPassword); assertEquals(MASK_FOR_SENSITIVE_DATA, theSalt); assertEquals(MASK_FOR_SENSITIVE_DATA, newConfigViaXMLGenerator.getLicenseKey()); + RealmConfig simpleRealm = secCfg.getRealmConfig("simple"); + assertEquals(MASK_FOR_SENSITIVE_DATA, simpleRealm.getSimpleAuthenticationConfig().getPassword("test")); + assertEquals(MASK_FOR_SENSITIVE_DATA, simpleRealm.getUsernamePasswordIdentityConfig().getPassword()); + assertEquals(MASK_FOR_SENSITIVE_DATA, + secCfg.getRealmConfig("ldap").getLdapAuthenticationConfig().getSystemUserPassword()); } @Test @@ -657,7 +669,7 @@ public void testLdapConfig() { SecurityConfig expectedConfig = new SecurityConfig().setClientRealmConfig("ldapRealm", realmConfig); cfg.setSecurityConfig(expectedConfig); - SecurityConfig actualConfig = getNewConfigViaXMLGenerator(cfg).getSecurityConfig(); + SecurityConfig actualConfig = getNewConfigViaXMLGenerator(cfg, false).getSecurityConfig(); assertEquals(expectedConfig, actualConfig); } @@ -715,7 +727,7 @@ public void testSimpleAuthenticationConfig() { ); SecurityConfig expectedConfig = new SecurityConfig().setMemberRealmConfig("simpleRealm", realmConfig); cfg.setSecurityConfig(expectedConfig); - SecurityConfig actualConfig = getNewConfigViaXMLGenerator(cfg).getSecurityConfig(); + SecurityConfig actualConfig = getNewConfigViaXMLGenerator(cfg, false).getSecurityConfig(); assertEquals(expectedConfig, actualConfig); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5gj6-62g7-vmgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-33264ghsaADVISORY
- github.com/hazelcast/hazelcast/commit/74eed86c2b2b727148c442e98a01d0ca6941a49eghsaWEB
- github.com/hazelcast/hazelcast/pull/24266ghsaWEB
- github.com/hazelcast/hazelcast/pull/24266/commits/80a502d53cc48bf895711ab55f95e3a51e344ac1ghsaWEB
News mentions
0No linked articles in our index yet.