CVE-2020-2021
published 2020-06-29CVE-2020-2021: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked)…
PriorityP197critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
4.36%
90.0th percentile
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.15 | 8.1.15 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.9 | 9.0.9 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.3 | 9.1.3 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | 8.0.0 – 8.0.20 | — |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.15 | 8.1.15 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.9 | 9.0.9 |
| paloaltonetworks | pan-os | >= 9.1.0 < 9.1.3 | 9.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires SAML authentication to be enabled AND the 'Validate Identity Provider Certificate' option to be disabled (unchecked) in the SAML Identity Provider Server Profile — audit configurations for this combination as a detection/hunting pivot ↗
- →Monitor for unauthenticated logins to PAN-OS and Panorama web interfaces with administrator-level privileges, which is the worst-case exploitation outcome for this CVE ↗
- →To eliminate unauthorized sessions on GlobalProtect portals and gateways post-exploitation, hunt for rogue Authentication Override cookies — the vendor recommends rotating the certificate used to encrypt/decrypt the Authentication Override cookie as a remediation step ↗
- →CVE-2020-2021 has also been exploited by ransomware groups — monitor for post-authentication lateral movement from GlobalProtect/VPN endpoints on affected PAN-OS versions ↗
- ·Vulnerability is NOT exploitable if SAML is not used for authentication — scope detection efforts only to SAML-enabled deployments ↗
- ·Vulnerability is NOT exploitable if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile — verify this setting as a first-pass triage step ↗
- ·PAN-OS 7.1 is not affected by this vulnerability ↗
- ·Affected versions are PAN-OS 9.1 < 9.1.3, PAN-OS 9.0 < 9.0.9, PAN-OS 8.1 < 8.1.15, and all versions of PAN-OS 8.0 (EOL); fixed in PAN-OS 8.1.15, 9.0.9, 9.1.3 and later ↗
- ·Before upgrading, ensure the signing certificate for the SAML Identity Provider is configured as the 'Identity Provider Certificate' to avoid authentication breakage post-patch ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2022-22965 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
CISA
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
cisa·2022-03-25·CVSS 10.0
CVE-2020-2021 [CRITICAL] CWE-347 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-2021
Remediation Due Date: 2022-04-15
Oracle
Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (Coherence) — CVE-2020-2555
vendor_oracle·2021-07-15·CVSS 9.8
CVE-2020-2555 [CRITICAL] Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (Coherence) — CVE-2020-2555
Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (Coherence) vulnerability
CVE: CVE-2020-2555
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Oracle
Oracle Oracle GraalVM Risk Matrix: Java — CVE-2020-14803
vendor_oracle·2021-01-15·CVSS 5.3
CVE-2020-14803 [MEDIUM] Oracle Oracle GraalVM Risk Matrix: Java — CVE-2020-14803
Oracle Oracle GraalVM Risk Matrix: Java vulnerability
CVE: CVE-2020-14803
CVSS: 5.3
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2021 (JAN 2021)
Chrome
Stable Channel Update for Desktop: CVE-2021-21106
vendor_chrome·2021-01-06·CVSS 9.6
CVE-2021-21106 [HIGH] Stable Channel Update for Desktop: CVE-2021-21106
Stable Channel Update for Desktop
CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13 [$20000][ 1153595 ] High CVE-2021-21107: Use after free in drag and drop
Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30 [$20000][ 1155426 ] High CVE-2021-21108: Use after free in media
Severity: high
Palo Alto
PAN-OS: OS command injection vulnerability in GlobalProtect portal
vendor_paloalto·2020-07-08·CVSS 10.0
CVE-2020-2034 [CRITICAL] CWE-78 PAN-OS: OS command injection vulnerability in GlobalProtect portal
PAN-OS: OS command injection vulnerability in GlobalProtect portal
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled.
This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.
Prisma Access services are not impacted by this vulnerability. Firewalls that were upgraded to the latest
Palo Alto
PAN-OS: Authentication Bypass in SAML Authentication
vendor_paloalto·2020-06-29·CVSS 10.0
CVE-2020-2021 [CRITICAL] CWE-347 PAN-OS: Authentication Bypass in SAML Authentication
PAN-OS: Authentication Bypass in SAML Authentication
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1.
This issue cannot be exploited if SAML is not used for authentication.
This issue cannot be exploited if the '
GHSA
GHSA-84wc-9427-hw23: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecke
ghsa_unreviewed·2022-05-24
CVE-2020-2021 [HIGH] CWE-347 GHSA-84wc-9427-hw23: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecke
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled
VulnCheck
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
vulncheck·2020·CVSS 10.0
CVE-2020-2021 [CRITICAL] CWE-347 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.esentire.com/security-advisories/ransomware-groups-exploit-remote-access-services; https://cisa.gov/news-events/cybersecurity-advisories/aa20-283a; https://github.com/blackorbird/APT_REPORT/raw/master/summary/2021/The%20CrowdStrike%202021%20Global%20Threat%20Report.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf; https://cert-in
Suricata
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
suricata·2021-11-01·CVSS 9.8
CVE-2020-8657 [CRITICAL] ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exp
Nuclei
Canon Devices - Authentication Bypass in Catwalk Server
nuclei·CVSS 7.5
CVE-2021-38154 [HIGH] Canon Devices - Authentication Bypass in Catwalk Server
Canon Devices - Authentication Bypass in Catwalk Server
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Template:
id: CVE-2021-38154
info:
name: Canon Devices - Authentication Bypass in Catwalk Server
author: daffainfo
severity: high
description: |
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is
Tenable
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
blogs_tenable·2024-04-12·CVSS 10.0
[CRITICAL] CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
31st October – Threat Intelligence Report
blogs_checkpoint·2022-10-31
CVE-2022-3723 31st October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
US-based communications company Twilio has disclosed a new data breach that occurred on June 2022 allegedly by the same threat actors behind the August hack. The hackers have used voice phishing to trick a Twilio employee into handling over their credentials, which the hackers then used to access customer information.
Cu
Checkpoint
10th October – Threat Intelligence Report
blogs_checkpoint·2022-10-10
CVE-2022-41352 10th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
CommonSpirit Health, the second-largest nonprofit hospital chain in the U.S with 140 hospitals and over 1,000 facilities in 21 states, suffered a cybersecurity incident that disrupted medical services across the country. Facilities in Iowa, Nebraska, Tennessee and Washington were among those affected. The nature of the at
Checkpoint
28th June – Threat Intelligence Report
blogs_checkpoint·2021-06-28
CVE-2021-21998 28th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Russian-based threat group Nobelium is using password spraying and brute force attacks to gain access to corporate networks. The group, which was behind the SolarWinds supply-chain attack, deployed an information-stealing Trojan on a Microsoft customer support agent’s computer to steal information. Over half of the targets were
Tenable
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
blogs_tenable·2020-10-12·CVSS 5.5
[MEDIUM] CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
blogs_tenable·2020-09-10·CVSS 9.8
[CRITICAL] CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
13th July – Threat Intelligence Bulletin
blogs_checkpoint·2020-07-13
CVE-2020-2021 13th July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 13th July 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has reported eleven malicious applications on Google Store, infected with the Joker infostealer and ad clicker. Joker, first detected in 2017, has used various obfuscation techniques and “in-between” versions to elude detection by Google, who removed the apps following the report.
Check Point SandBl
Tenable
CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
blogs_tenable·2020-06-29·CVSS 10.0
[CRITICAL] CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
arXiv
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
arxiv_fulltext·2023-06-07
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub
Soufian El Yadmani, Robin The, Olga Gadyatskaya
Leiden Institute of Advanced Computer Science, Leiden University
## Abstract
\
Exploit proof-of-concepts (PoCs) for known vulnerabilities are widely shared in the security community. They help security analysts to learn from each other and they facilitate security assessments and red teaming tasks. In the recent years, PoCs have been widely distributed, e.g., via dedicated websites and platforms, and public code repositories such as GitHub. However, there is no guarantee that PoCs in public code repositories come from trustworthy sources or even that they do what they are supposed to do.
In this work we investigate GitHub-hosted PoCs for known vulnerabili
Bugzilla
CVE-2020-13920 activemq: improper authentication allows MITM attack
bugzilla·2020-09-17·CVSS 5.9
CVE-2020-13920 [MEDIUM] CVE-2020-13920 activemq: improper authentication allows MITM attack
CVE-2020-13920 activemq: improper authentication allows MITM attack
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Reference:
http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt
Discussion:
This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
-
2020-06-29
Published
2022-03-25
Added to CISA KEV
Exploited in the wild