5.9

CVE-2020-13946

EPSS 0.23%
Published 01.09.2020 21:15:11
Last modified 21.11.2024 05:02:12
Source security@apache.org
Teams watchlist Login
Open Login

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cassandra Version < 2.1.22

Apache ≫ Cassandra Version >= 2.2.0 < 2.2.18

Apache ≫ Cassandra Version >= 3.0.0 < 3.0.22

Apache ≫ Cassandra Version >= 3.11.0 < 3.11.8

Apache ≫ Cassandra Version4.0.0 Updatealpha1

Apache ≫ Cassandra Version4.0.0 Updatealpha2

Apache ≫ Cassandra Version4.0.0 Updatealpha3

Apache ≫ Cassandra Version4.0.0 Updatealpha4

Apache ≫ Cassandra Version4.0.0 Updatebeta1

Netapp ≫ Oncommand Insight Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.23%	0.457

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc%40%3Cuser.cassandra.apache.org%3E

https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E

Vendor Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20210521-0005/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-13946

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-13946

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-13946

EUVD