CVE-2020-1929
First published: Wed Jan 15 2020(Updated: )
The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Beam | >=2.10.0<=2.16.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-1929?
CVE-2020-1929 is a vulnerability in the Apache Beam MongoDB connector that allows for the disabling of SSL trust verification, which can lead to trust issues with certificates.
What is the severity of CVE-2020-1929?
The severity of CVE-2020-1929 is high, with a severity value of 7.5.
How does CVE-2020-1929 affect Apache Beam?
CVE-2020-1929 affects Apache Beam versions 2.10.0 to 2.16.0 by improperly disabling SSL trust verification for MongoDB connections, leading to trust issues with certificates.
How can I fix CVE-2020-1929?
To fix CVE-2020-1929, upgrade to a fixed version of Apache Beam that resolves the SSL trust verification issue.
Where can I find more information about CVE-2020-1929?
More information about CVE-2020-1929 can be found at the following reference: [Link to reference](https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaea4becbdc69aa04%40%3Cuser.beam.apache.org%3E)
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- agent/tags
- vendor/apache
- canonical/apache beam
- version/apache beam/2.10.0
- version/apache beam/2.16.0