CVE-2020-17516

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-17516
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-17516.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-17516
Aliases
Downstream
Related
Published
2021-02-03T17:15:13Z
Modified
2025-07-16T10:46:00.625117Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

References

Affected packages

Git / github.com/apache/cassandra

Affected ranges

Type
GIT
Repo
https://github.com/apache/cassandra
Events
Introduced
437bb9de77f54aa5a4a6a634ab3d2c753a17b3fc
Last affected
0d9462efc2cbf2a61a67ae4f6786086bb30272ef
Introduced
96f407bce56b98cd824d18e32ee012dbb99a0286
Last affected
31530ff5ac6bd3bacd4b378573a2d191bdab8cd7
Introduced
88dee7e9d515ad94ecf8f2309f1e6138ec79e1a2
Last affected
5ef75dd96cb693e4041e9ecb61a6852276f0eca4
Introduced
e06c1e8381525363e90ccf694275361e2958647a
Last affected
94e9149c22f6a7772c0015e1b1ef2e2961155c0a

Affected versions

cassandra-2.*

cassandra-2.0.17
cassandra-2.1.10
cassandra-2.1.11
cassandra-2.1.12
cassandra-2.1.13
cassandra-2.1.14
cassandra-2.1.15
cassandra-2.1.16
cassandra-2.1.17
cassandra-2.1.18
cassandra-2.1.19
cassandra-2.1.20
cassandra-2.1.21
cassandra-2.1.22
cassandra-2.1.9
cassandra-2.2.0
cassandra-2.2.1
cassandra-2.2.10
cassandra-2.2.11
cassandra-2.2.12
cassandra-2.2.13
cassandra-2.2.14
cassandra-2.2.15
cassandra-2.2.16
cassandra-2.2.17
cassandra-2.2.18
cassandra-2.2.19
cassandra-2.2.2
cassandra-2.2.3
cassandra-2.2.4
cassandra-2.2.5
cassandra-2.2.6
cassandra-2.2.8
cassandra-2.2.9