CVE-2020-1960

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-1960
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1960.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-1960
Aliases
Published
2020-05-14T17:15:12.380Z
Modified
2026-04-10T04:18:58.492520Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

References

Affected packages

Git / github.com/apache/flink

Affected ranges

Type
GIT
Repo
https://github.com/apache/flink
Events
Introduced
45f7825111232f0dd225068a72d8a092f67d49d0
Last affected
ed18e976cc41d4d7335374cee7749e93a2fe3f3e
Introduced
1c659cf4acca2cbc8c36494156d9ec28423e43c6
Last affected
76eba4e08b1c3f1c45ebf7914f30d3e871326c29
Introduced
760eea8a173c028f1434dc268a2ec719cdcc2951
Last affected
93e9a6ea4e05d93882a2ae7b5cb625bf06cfad8c
Introduced
3a9d9f24429fb70305f0a95e364bf48245e6d1a4
Last affected
04e4c8522eb28573f54a9cec7b1559e9c3d0f7aa
Introduced
c61b108b8eaa22eac3dc492b3c95c22b4177003f
Last affected
2b30969e98584bb8b0e9e6f8d7080adbcfbb5f06
Introduced
ff472b46c192d174d3e652cb6a704e0172842272
Last affected
6f4148180ba372a2c12c1d54bea8579350af6c98
Introduced
49da9f9f950fa6f103bda8be7f8b898cb42e103c
Last affected
ceba8af39b28b91ae6f2d5cbdb1b99258a73e742
Introduced
4caec0d4bab497d7f9a8d9fec4680089117593df
Last affected
d54807ba10d0392a60663f030f9fe0bfa1c66754
Introduced
9c32ed989c0178a2bf3e059e897927c451188700
Last affected
c9d2c9098d725a2d39e860bde414ecb0c5d6a233
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
aa4eb8f0c9ce74e6b92c3d9be5dc8e8cb536239d
Database specific 
{
    "versions": [
        {
            "introduced": "1.1.0"
        },
        {
            "last_affected": "1.1.5"
        },
        {
            "introduced": "1.2.0"
        },
        {
            "last_affected": "1.2.1"
        },
        {
            "introduced": "1.3.0"
        },
        {
            "last_affected": "1.3.3"
        },
        {
            "introduced": "1.4.0"
        },
        {
            "last_affected": "1.4.2"
        },
        {
            "introduced": "1.5.0"
        },
        {
            "last_affected": "1.5.6"
        },
        {
            "introduced": "1.6.0"
        },
        {
            "last_affected": "1.6.4"
        },
        {
            "introduced": "1.7.0"
        },
        {
            "last_affected": "1.7.2"
        },
        {
            "introduced": "1.8.0"
        },
        {
            "last_affected": "1.8.3"
        },
        {
            "introduced": "1.9.0"
        },
        {
            "last_affected": "1.9.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.10.0-NA"
        }
    ]
}

Affected versions

Other
pre-apache-rename
release-1.*
release-1.1.5
release-1.10.0
release-1.10.0-rc3
release-1.2.1
release-1.3.3
release-1.4.2
release-1.4.2-rc2
release-1.5.6
release-1.5.6-rc1
release-1.6.4
release-1.6.4-rc1
release-1.7.2
release-1.7.2-rc1
release-1.8.3
release-1.8.3-rc3
release-1.9.2
release-1.9.2-rc1
v0.*
v0.4-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1960.json"