Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-13920

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.

Published

2020-09-10T19:15:13.160

Last Modified

2024-11-21T05:02:09.060

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	activemq	< 5.15.12	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.2.2	Yes
Application	oracle	flexcube_private_banking	12.0.0	Yes
Application	oracle	flexcube_private_banking	12.1.0	Yes
Operating System	debian	debian_linux	9.0	Yes

References

http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory ([email protected])
http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)