First published: Tue Sep 01 2020(Updated: )
A flaw was found in cassandra in versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2. A local attacker without access to the Apache Cassandra process or configuration files can manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. A JRE vulnerability (CVE-2019-2684) enables this issue to be exploited remotely. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Cassandra | <2.1.22 | |
Apache Cassandra | >=2.2.0<2.2.18 | |
Apache Cassandra | >=3.0.0<3.0.22 | |
Apache Cassandra | >=3.11.0<3.11.8 | |
Apache Cassandra | =4.0.0-alpha1 | |
Apache Cassandra | =4.0.0-alpha2 | |
Apache Cassandra | =4.0.0-alpha3 | |
Apache Cassandra | =4.0.0-alpha4 | |
Apache Cassandra | =4.0.0-beta1 | |
NetApp OnCommand Insight |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-13946 is a vulnerability in Apache Cassandra that allows a local attacker to manipulate the RMI registry and perform a man-in-the-middle attack to capture user names and passwords.
CVE-2020-13946 has a severity level of medium (5.9).
All versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8, and 4.0-beta2 are affected by CVE-2020-13946.
A local attacker without access to the Apache Cassandra process or configuration files can manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords.
Yes, the following references provide more information about CVE-2020-13946: - [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2019-2684) - [Apache Cassandra Mailing List](https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E) - [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1875831)