CVE-2020-13920
First published: Thu Sep 10 2020(Updated: )
Apache ActiveMQ is vulnerable to a man-in-the-middle attack, caused by improper authentication validation when connecting to the JMX RMI registry. By creating another server to proxy the original, an attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain user credentials or further compromise the system.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| Apache ActiveMQ | <5.15.12 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Debian Debian Linux | =9.0 | |
| redhat/Apache ActiveMQ | <5.15.12 | 5.15.12 |
| maven/org.apache.activemq:activemq-parent | <5.15.12 | 5.15.12 |
| debian/activemq | 5.16.1-1 5.17.2+dfsg-2 5.17.6+dfsg-1 | |
| ubuntu/activemq | <5.15.8-2~18.04.1~ | 5.15.8-2~18.04.1~ |
| ubuntu/activemq | <5.15.11-1ubuntu0.1~ | 5.15.11-1ubuntu0.1~ |
| ubuntu/activemq | <5.15.12 | 5.15.12 |
| ubuntu/activemq | <5.13.2+dfsg-2ubuntu0.1~ | 5.13.2+dfsg-2ubuntu0.1~ |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-13920 https://nvd.nist.gov/vuln/detail/CVE-2020-13920
- https://bugzilla.redhat.com/show_bug.cgi?id=1880101
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/errata/RHSA-2021:3207
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/security/cve/cve-2020-13920
- http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-13920
- https://github.com/apache/activemq/commit/359ae4b
- https://github.com/apache/activemq/commit/48cd61d
- https://github.com/apache/activemq/commit/58382283330f7c7b110c7afd8ef4ca2648786532
- https://github.com/apache/activemq/commit/b7dca5e
- https://issues.apache.org/jira/browse/AMQ-7400
- https://github.com/advisories/GHSA-xgrx-xpv2-6vp4 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2020-13920
- https://github.com/apache/activemq/commit/c29244931d54affaceabb478b3a52d9b74f5d543
- https://github.com/apache/activemq/commit/0d6e5f240ef34bae2e4089102047593bef628e6c
- https://security-tracker.debian.org/tracker/CVE-2020-13920
- https://exchange.xforce.ibmcloud.com/vulnerabilities/188067
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13920
- https://ubuntu.com/security/CVE-2020-13920
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-13920?
CVE-2020-13920 is a vulnerability in Apache ActiveMQ that allows an attacker to connect to the JMX RMI registry without authentication and rebind the jmxrmi entry to something else.
What is the severity of CVE-2020-13920?
The severity of CVE-2020-13920 is medium, with a severity value of 5.9.
How does CVE-2020-13920 affect Apache ActiveMQ?
CVE-2020-13920 affects Apache ActiveMQ versions up to and excluding 5.15.12.
What is the Common Weakness Enumeration (CWE) ID for CVE-2020-13920?
The CWE ID for CVE-2020-13920 is CWE-287.
How can I fix CVE-2020-13920 in Apache ActiveMQ?
To fix CVE-2020-13920 in Apache ActiveMQ, upgrade to version 5.15.12 or later.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-13920
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xgrx-xpv2-6vp4
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/apache
- canonical/apache activemq
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.2.2
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/redhat
- package-manager/maven
- package-manager/debian
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19