CVE-2020-13946

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-13946
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13946.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-13946
Aliases
Related
Published
2020-09-01T21:15:11.833Z
Modified
2026-03-14T14:40:38.406296Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

References

Affected packages

Git / github.com/apache/cassandra

Affected ranges

Type
GIT
Repo
https://github.com/apache/cassandra
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
94e9149c22f6a7772c0015e1b1ef2e2961155c0a
Introduced
437bb9de77f54aa5a4a6a634ab3d2c753a17b3fc
Fixed
d4938cf4e488a9ef3ac48164a3e946f16255d721
Introduced
96f407bce56b98cd824d18e32ee012dbb99a0286
Fixed
45331bb612dc7847efece7e26cdd0b376bd11249
Introduced
88dee7e9d515ad94ecf8f2309f1e6138ec79e1a2
Fixed
8b29b698630960a0ebb2c695cc5b21dee4686d09
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.22"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.18"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.22"
        },
        {
            "introduced": "3.11.0"
        },
        {
            "fixed": "3.11.8"
        }
    ]
}

Affected versions

cassandra-2.*
cassandra-2.0.17
cassandra-2.1.10
cassandra-2.1.11
cassandra-2.1.12
cassandra-2.1.13
cassandra-2.1.14
cassandra-2.1.15
cassandra-2.1.16
cassandra-2.1.17
cassandra-2.1.18
cassandra-2.1.19
cassandra-2.1.20
cassandra-2.1.21
cassandra-2.1.9
cassandra-2.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13946.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0.0-alpha1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0.0-alpha2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0.0-alpha3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0.0-alpha4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0.0-beta1"
            }
        ]
    }
]