GHSA-ffm7-7r8g-77xm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ffm7-7r8g-77xm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-ffm7-7r8g-77xm/GHSA-ffm7-7r8g-77xm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ffm7-7r8g-77xm
- Aliases
- Published
- 2022-02-10T22:38:50Z
- Modified
- 2024-02-22T05:34:00.973377Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Apache CXF JMX Integration is vulnerable to a MITM attack
- Details
-
Apache CXF has the ability to integrate with JMX by registering an
InstrumentationManagerextension with the CXF bus. If thecreateMBServerConnectorFactoryproperty of the defaultInstrumentationManagerImplis not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. - Database specific
{ "nvd_published_at": "2020-04-01T21:15:00Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-07T18:12:21Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-1954
- https://github.com/apache/cxf/commit/1cf4fed546904a4a2560f53a2a2391d834b4026c
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://security.netapp.com/advisory/ntap-20220210-0001
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2
Affected packages
Maven / org.apache.cxf:cxf-rt-management
Package
- Name
- org.apache.cxf:cxf-rt-management
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf/cxf-rt-management
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.2.13
Affected versions
2.*
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18
3.*
3.0.0-milestone1
3.0.0-milestone2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
Maven / org.apache.cxf:cxf-rt-management
Package
- Name
- org.apache.cxf:cxf-rt-management
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf/cxf-rt-management