GHSA-24ww-mc5x-xc43

Suggest an improvement
Source
https://github.com/advisories/GHSA-24ww-mc5x-xc43
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-24ww-mc5x-xc43/GHSA-24ww-mc5x-xc43.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-24ww-mc5x-xc43
Aliases
Related
Published
2021-05-07T15:54:46Z
Modified
2024-02-17T05:33:58.960995Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Man-in-the-middle attack in Apache Cassandra
Details

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Database specific 
{
    "nvd_published_at": "2020-09-01T21:15:00Z",
    "cwe_ids": [
        "CWE-668"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T19:22:12Z"
}
References

Affected packages

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.12

Affected versions

2.*

2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.18

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.22

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.11.0
Fixed
3.11.8

Affected versions

3.*

3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0-beta1
Fixed
4.0-beta2

Affected versions

4.*

4.0-beta1