Moderate severityNVD Advisory· Published Apr 1, 2020· Updated Aug 4, 2024
CVE-2020-1954
CVE-2020-1954
Description
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-rt-managementMaven | < 3.2.13 | 3.2.13 |
org.apache.cxf:cxf-rt-managementMaven | >= 3.3.0, < 3.3.6 | 3.3.6 |
Affected products
2Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-ffm7-7r8g-77xmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1954ghsaADVISORY
- cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.ascghsax_refsource_MISCWEB
- github.com/apache/cxf/commit/1cf4fed546904a4a2560f53a2a2391d834b4026cghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20220210-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220210-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.