Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2020-13946
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely..
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 4.3/10
- Exploit Score
- 8.6/10
- Access Vector
- Network
- Access Complexity
- Medium
- Authentication Required
- None
- Impact Score
- 2.9/10
- Confidentiality Impact
- Partial
- Availability Impact
- None
- Integrity Impact
- None
CVSSv3.1 Score
- Severity
- Medium
- Base Score
- 5.9/10
- Exploit Score
- 2.2/10
- Access Vector
- Network
- Access Complexity
- High
- Privileges Required
- None
- Impact Score
- 3.6/10
- Confidentiality Impact
- High
- Availability Impact
- None
- Integrity Impact
- None
- Scope
- Unchanged
- User Interaction
- None
Products Affected
| CPE | Affected | Vulnerable | Excluding | Edit |
|---|---|---|---|---|
| cpe:2.3:a:apache:cassandra:4.0.0:beta1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:cassandra:4.0.0:alpha4:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:cassandra:4.0.0:alpha3:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:cassandra:4.0.0:alpha2:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:* |
Yes
|
3.11.0 | 3.11.8 | |
| cpe:2.3:a:apache:cassandra:4.0.0:alpha1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:* |
Yes
|
3.0.0 | 3.0.22 | |
| cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:* |
Yes
|
2.2.0 | 2.2.18 | |
| cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:* |
Yes
|
- | 2.1.22 | |
| cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
Yes
|
- | - |
References
- https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc
- https://security.netapp.com/advisory/ntap-20210521-0005/
- https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca
- https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999
- https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d35