CVE-2020-1954

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-1954

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1954.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-1954

Aliases

GHSA-ffm7-7r8g-77xm

Related

Published

2020-04-01T21:15:14Z

Modified

2024-09-03T03:21:08.884801Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type: GIT
Repo: https://github.com/apache/cxf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a3ec49229acfb484617091bc1f0cb597e6db9230

Affected versions

cxf-2.*

cxf-2.1

cxf-2.1.2

cxf-2.2

cxf-2.2.1

cxf-2.2.2

cxf-2.3.0

cxf-2.4.0

cxf-2.5.0

cxf-2.5.1

cxf-2.6.0

cxf-2.6.1

cxf-2.7.0

cxf-2.7.1

cxf-2.7.2

cxf-3.*

cxf-3.0.0

cxf-3.0.0-milestone2

cxf-3.0.1

cxf-3.1.0

cxf-3.1.1

cxf-3.1.2

cxf-3.1.3

cxf-3.1.4

cxf-3.2.0

cxf-3.2.1

cxf-3.2.10

cxf-3.2.11

cxf-3.2.12

cxf-3.2.2

cxf-3.2.3

cxf-3.2.4

cxf-3.2.5

cxf-3.2.6

cxf-3.2.7

cxf-3.2.8

cxf-3.2.9