#VU46223 Permissions, Privileges, and Access Controls in Cassandra - CVE-2020-13946
Published: September 2, 2020
Vulnerability identifier: #VU46223
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-13946
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cassandra
Cassandra
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due application allows remote method invocation. A local user with limited access to the system can use RMI rebind attack vector to perform a MitM attack and obtain user names and passwords used to access the JMX interface.
Remediation
Install updates from vendor's website.
External links
- https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E