CVE-2020-13946

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:4.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:4.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:4.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:4.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:4.0.0:beta1:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:02

Type Values Removed Values Added
References () https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7%40%3Cuser.cassandra.apache.org%3E - () https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7%40%3Cuser.cassandra.apache.org%3E -
References () https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce%40%3Cuser.cassandra.apache.org%3E - () https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce%40%3Cuser.cassandra.apache.org%3E -
References () https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc%40%3Cuser.cassandra.apache.org%3E - () https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc%40%3Cuser.cassandra.apache.org%3E -
References () https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E - Mailing List, Vendor Advisory () https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E - Mailing List, Vendor Advisory
References () https://security.netapp.com/advisory/ntap-20210521-0005/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20210521-0005/ - Third Party Advisory

07 Nov 2023, 03:17

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3E', 'name': '[cassandra-user] 20200901 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3E', 'name': '[cassandra-user] 20200902 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc@%3Cuser.cassandra.apache.org%3E', 'name': '[cassandra-user] 20200911 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce%40%3Cuser.cassandra.apache.org%3E -
  • () https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc%40%3Cuser.cassandra.apache.org%3E -
  • () https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7%40%3Cuser.cassandra.apache.org%3E -

Information

Published : 2020-09-01 21:15

Updated : 2024-11-21 05:02


NVD link : CVE-2020-13946

Mitre link : CVE-2020-13946

CVE.ORG link : CVE-2020-13946


JSON object : View

Products Affected

netapp

  • oncommand_insight

apache

  • cassandra
CWE
CWE-668

Exposure of Resource to Wrong Sphere