CVE-2020-1954 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-1954 PUBLISHED CVSS 8.699999809265137 HIGH

Reported by apache · Published April 1, 2020

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Apache	Apache CXF	affects all versions prior to 3.3.6 and 3.2.13
Maven	org.apache.cxf:cxf-rt-management	0, 0, 0
Maven	org.apache.cxf:cxf-core	0, 0, 0
Apache	Apache CXF	affects all versions prior to 3.3.6 and 3.2.13, affects all versions prior to 3.3.6 and 3.2.13, affects all versions prior to 3.3.6 and 3.2.13
Maven	org.apache.cxf:cxf	0, 0, 0

Timeline

Apr 1, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 17, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Jun 24, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 11, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 28, 2022 EPSS Score

References

x_refsource_MISC
x_refsource_MISC
[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html mailing-listx_refsource_MLIST
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html mailing-listx_refsource_MLIST
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html mailing-listx_refsource_MLIST
x_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2020-1954 advisory
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E url
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E url
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E url
https://github.com/advisories/GHSA-ffm7-7r8g-77xm advisory

Open in Interactive Console →