Lucene search

GoogleOSV:BIT-CASSANDRA-2020-13946

HistoryMar 06, 2024 - 10:51 a.m.

BIT-cassandra-2020-13946

2024-03-0610:51:19

Google

osv.dev

apache cassandra

rmi registry

jmx interface

man-in-the-middle attack

cve-2019-2684

jre vulnerability

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.5%

JSON

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

CPENameOperatorVersion
cassandrale4.0.0-alpha1
cassandrage4.0.0-beta1
cassandrage4.0.0-alpha1
cassandrale4.0.0-alpha4
cassandrage3.11.0
cassandrage4.0.0-alpha4
cassandralt3.0.22
cassandrale4.0.0-beta1
cassandrage3.0.0
cassandrage2.2.0

Name	Operator	Version
cassandra	le	4.0.0-alpha1
cassandra	ge	4.0.0-beta1
cassandra	ge	4.0.0-alpha1
cassandra	le	4.0.0-alpha4
cassandra	ge	3.11.0
cassandra	ge	4.0.0-alpha4
cassandra	lt	3.0.22
cassandra	le	4.0.0-beta1
cassandra	ge	3.0.0
cassandra	ge	2.2.0