VDB

CVE-2020-17516

CVE-2020-17516 PUBLISHED

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

EPSS 0.85% · 75.3th percentile

Risk Scores

EPSS Score
0.85%
75.3th percentile

Affected Products

VendorProductVersions
Bitnamicassandra2.1.0, 2.2.0, 3.0.0
Bitnamicassandra2.1.0, 2.2.0, 3.0.0

Timeline

  • Feb 3, 2021 CVE Published
  • Apr 14, 2021 EPSS Score
  • May 21, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Sep 15, 2021 EPSS Score
  • Sep 16, 2021 CVE Updated
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • May 1, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›