GHSA-2vxm-vp4c-fjfw

Source

https://github.com/advisories/GHSA-2vxm-vp4c-fjfw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2vxm-vp4c-fjfw/GHSA-2vxm-vp4c-fjfw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2vxm-vp4c-fjfw

Aliases

BIT-cassandra-2020-17516
CVE-2020-17516

Published

2022-02-09T01:01:22Z

Modified

2024-02-17T05:34:23.508577Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Authentication Bypass in Apache Cassandra

Details

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Database specific

{
    "nvd_published_at": "2021-02-03T17:15:00Z",
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T22:58:25Z"
}

References

Affected packages

Maven / org.apache.cassandra:cassandra-all

Package

Name: org.apache.cassandra:cassandra-all; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

3.0.24

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.20

2.1.21

2.1.22

2.2.0-beta1

2.2.0-rc1

2.2.0-rc2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

3.*

3.0.0-alpha1

3.0.0-beta1

3.0.0-beta2

3.0.0-rc1

3.0.0-rc2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

Maven / org.apache.cassandra:cassandra-all

Package

Name: org.apache.cassandra:cassandra-all; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.11.0

Fixed

3.11.10

Affected versions

3.*

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.11.5

3.11.6

3.11.7

3.11.8

3.11.9