CVE-2020-1954

CWE-200Information Exposure8 documents7 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 55.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Apache CXFOracle Communications Diameter Signaling RouterOracle Communications Diameter Signaling Router Idih\+6 more
Timeline
PublishedApr 1
Latest updateFeb 10

Description

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sen

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages10 packages

NVDapache/cxf3.3.03.3.6+1
Mavenorg.apache.cxf:cxf-rt-management3.3.03.3.6+1
CVEListV5apache/apache_cxfaffects all versions prior to 3.3.6 and 3.2.13

Patches

Patch: security.netapp.comPatch: www.oracle.comPatch: security.netapp.com

🔴Vulnerability Details

3
OSV
Apache CXF JMX Integration is vulnerable to a MITM attack2022-02-10
GHSA
Apache CXF JMX Integration is vulnerable to a MITM attack2022-02-10
CVEList
CVE-2020-1954: Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus2020-04-01

📋Vendor Advisories

2
Oracle
Oracle Oracle Communications Risk Matrix: IDIH (Apache CXF) — CVE-2020-19542020-10-15
Red Hat
cxf: JMX integration is vulnerable to a MITM attack2020-04-01

💬Community

2
Bugzilla
CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack2020-04-15
Bugzilla
CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack [fedora-30]2020-04-15
CVE-2020-1954 (MEDIUM CVSS 5.3) | Apache CXF has the ability to integ | cvebase.io