VDB
CVE-2020-13920
CVE-2020-13920
PUBLISHED
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
EPSS 0.19% · 40.5th percentile
Risk Scores
EPSS Score
0.19%
40.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | activemq | 0, 0, 0 |
| Bitnami | activemq | 0 |
Timeline
- Sep 9, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt url
- https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E url
- https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E url
- https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html url
- https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html url
- https://nvd.nist.gov/vuln/detail/CVE-2020-13920 url
- https://www.oracle.com/security-alerts/cpuoct2020.html url