Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-27137

Severity CVSS v4.0:
Pending analysis
Type:
CWE-287 Authentication Issues
Publication date:
04/02/2025
Last modified:
15/02/2025

Description

In Apache Cassandra it is possible for a local attacker without access<br /> to the Apache Cassandra process or configuration files to manipulate <br /> the RMI registry to perform a man-in-the-middle attack and capture user <br /> names and passwords used to access the JMX interface. The attacker can <br /> then use these credentials to access the JMX interface and perform <br /> unauthorized operations.<br /> <br /> <br /> This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.<br /> <br /> <br /> This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.<br /> <br /> <br /> Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x
5.30
Severity 3.x
MEDIUM

References to Advisories, Solutions, and Tools