PT-2020-13797 · Apache · Apache Cassandra
Published
2020-09-01
·
Updated
2025-07-14
·
CVE-2020-13946
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Cassandra versions prior to 2.1.22
Apache Cassandra versions prior to 2.2.18
Apache Cassandra versions prior to 3.0.22
Apache Cassandra versions prior to 3.11.8
Apache Cassandra versions prior to 4.0-beta2
Description
The issue allows a local attacker to manipulate the RMI registry and perform a man-in-the-middle attack, capturing user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations.
Recommendations
For versions prior to 2.1.22, update to version 2.1.22 or later.
For versions prior to 2.2.18, update to version 2.2.18 or later.
For versions prior to 3.0.22, update to version 3.0.22 or later.
For versions prior to 3.11.8, update to version 3.11.8 or later.
For versions prior to 4.0-beta2, update to version 4.0-beta2 or later.
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Cassandra