5.3

CVE-2024-27137

In Apache Cassandra it is possible for a local attacker without access
 to the Apache Cassandra process or configuration files to manipulate 
the RMI registry to perform a man-in-the-middle attack and capture user 
names and passwords used to access the JMX interface. The attacker can 
then use these credentials to access the JMX interface and perform 
unauthorized operations.


This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.


This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.


Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCassandra Version >= 4.0.2 < 4.0.15
ApacheCassandra Version >= 4.1.0 < 4.1.8
ApacheCassandra Version > 5.0.0 < 5.0.3
ApacheCassandra Version5.0.0 Update-
ApacheCassandra Version5.0.0 Updatebeta1
ApacheCassandra Version5.0.0 Updaterc1
ApacheCassandra Version5.0.0 Updaterc2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.161
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 1.8 3.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm
Vendor Advisory
Mailing List
Issue Tracking