Is CVE-2020-13946 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 3%.

What products does CVE-2020-13946 affect?

Tracked products affected include Apache Cassandra. Check the version you run to see whether it is affected.

How do I fix CVE-2020-13946?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2020-13946

Q: What is CVE-2020-13946?

CVE-2020-13946 is a medium-severity software vulnerability (CWE-668) with a CVSS score of 5.9. In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a m

MEDIUM severity · CVSS 5.9 · CWE-668

5.9CVSS MEDIUM

Summary

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)3%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

Apache Cassandra

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

CVE-2020-13946

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information