CVE-2020-13946
Description
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local attacker can manipulate RMI registry to capture JMX credentials, then gain unauthorized access to Apache Cassandra.
Vulnerability
Overview
CVE-2020-13946 affects Apache Cassandra versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2. The vulnerability allows a local attacker without access to Cassandra process or configuration files to manipulate the RMI registry. By performing a man-in-the-middle attack, the attacker can capture user names and passwords used to access the JMX interface [1].
Exploitation
Details
The attack requires local access to the host running Apache Cassandra. The attacker does not need access to the Apache Cassandra process or its configuration files. The vulnerability is in the RMI registry, which is used for JMX connections. By exploiting this issue, the attacker can intercept authentication credentials transmitted between JMX clients and the JMX server [1].
Impact
With the captured credentials, the attacker can authenticate to the JMX interface and perform unauthorized operations. This can lead to significant compromise of the Cassandra installation, including potential data access, modification, or disruption of service. The issue is related to CVE-2019-2684, a JRE vulnerability that could allow this attack to be executed remotely [1].
Mitigation
Users should upgrade to Apache Cassandra 2.1.22, 2.2.18, 3.0.22, 3.11.8, or 4.0-beta2 or later. Restricting local access to the host and using secure JMX configurations (such as SSL/TLS) can also reduce risk [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | >= 2.1.0, < 2.1.12 | 2.1.12 |
org.apache.cassandra:cassandra-allMaven | >= 2.2.0, < 2.2.18 | 2.2.18 |
org.apache.cassandra:cassandra-allMaven | >= 3.0.0, < 3.0.22 | 3.0.22 |
org.apache.cassandra:cassandra-allMaven | >= 3.11.0, < 3.11.8 | 3.11.8 |
org.apache.cassandra:cassandra-allMaven | >= 4.0-beta1, < 4.0-beta2 | 4.0-beta2 |
Affected products
8- Apache/Cassandradescription
- osv-coords7 versionspkg:apk/chainguard/cassandra-4.1pkg:apk/chainguard/cassandra-4.1-compatpkg:apk/chainguard/cassandra-4.1-iamguarded-compatpkg:apk/wolfi/cassandra-4.1pkg:apk/wolfi/cassandra-4.1-compatpkg:bitnami/cassandrapkg:maven/org.apache.cassandra/cassandra-all
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.1.22
- (no CPE)range: >= 2.1.0, < 2.1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-24ww-mc5x-xc43ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13946ghsaADVISORY
- lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7%40%3Cuser.cassandra.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce%40%3Cuser.cassandra.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc%40%3Cuser.cassandra.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc@%3Cuser.cassandra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3Eghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210521-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210521-0005/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.