Vulnerability-Lookup

CVE-2020-13920 (GCVE-0-2020-13920)

Vulnerability from cvelistv5 – Published: 2020-09-10 00:00 – Updated: 2024-08-04 12:32

Summary

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.

Severity ?

No CVSS data available.

CWE

Man In The Middle attack vulnerability

Assigner

apache

References

URL

	Vendor	Product	Version
	n/a	Apache ActiveMQ	Affected: Apache ActiveMQ version prior to 5.15.12

GSD-2020-13920

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-13920

Aliases

CVE-2020-13920

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-13920",
    "description": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
    "id": "GSD-2020-13920",
    "references": [
      "https://access.redhat.com/errata/RHSA-2021:3207",
      "https://access.redhat.com/errata/RHSA-2021:3205",
      "https://access.redhat.com/errata/RHSA-2021:3140"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-13920"
      ],
      "details": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
      "id": "GSD-2020-13920",
      "modified": "2023-12-13T01:21:47.083667Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2020-13920",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache ActiveMQ",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache ActiveMQ version prior to 5.15.12"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Man In The Middle attack vulnerability"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt",
            "refsource": "MISC",
            "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          },
          {
            "name": "[debian-lts-announce] 20201007 [SECURITY] [DLA 2400-1] activemq security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26117",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
          },
          {
            "name": "[activemq-commits] 20210208 [activemq-website] branch master updated: Publish CVE-2020-13947",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20231120 [SECURITY] [DLA 3657-1] activemq security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,0)",
          "affected_versions": "None",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-09-11",
          "description": "This advisory has been marked as a false positive.",
          "fixed_versions": [],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "CVE-2020-13920"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.activemq/activemq-all",
          "pubdate": "2020-09-10",
          "solution": "Nothing to be done",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          ],
          "uuid": "99519a8f-5b2d-48c0-94dd-fdcf927a8962"
        },
        {
          "affected_range": "(,0)",
          "affected_versions": "None",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-09-11",
          "description": "This advisory has been marked as a false positive.",
          "fixed_versions": [],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "CVE-2020-13920"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.activemq/activemq-broker",
          "pubdate": "2020-09-10",
          "solution": "Nothing to be done",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          ],
          "uuid": "bf6db18f-87b2-486d-9133-fee7ce8f4f01"
        },
        {
          "affected_range": "(,0)",
          "affected_versions": "None",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-09-11",
          "description": "This advisory has been marked as a false positive.",
          "fixed_versions": [],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "CVE-2020-13920"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.activemq/activemq-client",
          "pubdate": "2020-09-10",
          "solution": "Nothing to be done",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          ],
          "uuid": "a51e71fc-74ef-44d3-b7d3-87940042bc32"
        },
        {
          "affected_range": "(,5.15.12)",
          "affected_versions": "All versions before 5.15.12",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2021-07-21",
          "description": "Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the `jmxrmi` entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when a user connects.",
          "fixed_versions": [
            "5.15.12"
          ],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "CVE-2020-13920"
          ],
          "not_impacted": "All versions starting from 5.15.12",
          "package_slug": "maven/org.apache.activemq/activemq-core",
          "pubdate": "2020-09-10",
          "solution": "Upgrade to version 5.15.12 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          ],
          "uuid": "e998eee4-1abb-4fde-85f6-adc0dcdb1eee"
        },
        {
          "affected_range": "(,5.15.12)",
          "affected_versions": "All versions before 5.15.12",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-306",
            "CWE-937"
          ],
          "date": "2022-02-09",
          "description": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
          "fixed_versions": [
            "5.15.12"
          ],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "GHSA-xgrx-xpv2-6vp4",
            "CVE-2020-13920"
          ],
          "not_impacted": "All versions starting from 5.15.12",
          "package_slug": "maven/org.apache.activemq/activemq-parent",
          "pubdate": "2022-02-09",
          "solution": "Upgrade to version 5.15.12 or above.",
          "title": "Missing Authentication for Critical Function",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E",
            "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html",
            "https://www.oracle.com/security-alerts/cpuoct2020.html",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt",
            "https://github.com/advisories/GHSA-xgrx-xpv2-6vp4"
          ],
          "uuid": "18233937-631d-49ea-b7d8-edfdfc493884"
        },
        {
          "affected_range": "(,0)",
          "affected_versions": "None",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-09-11",
          "description": "This advisory has been marked as a false positive.",
          "fixed_versions": [],
          "identifier": "CVE-2020-13920",
          "identifiers": [
            "CVE-2020-13920"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.activemq/activemq-web-console",
          "pubdate": "2020-09-10",
          "solution": "Nothing to be done",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
            "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
          ],
          "uuid": "166acd4c-c3fb-41dc-9abe-514c67e21787"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.15.12",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.2.2",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-13920"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
            },
            {
              "name": "[debian-lts-announce] 20201007 [SECURITY] [DLA 2400-1] activemq security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "[activemq-commits] 20210127 [activemq-website] branch master updated: Publish CVE-2021-26117",
              "refsource": "",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
            },
            {
              "name": "[activemq-commits] 20210208 [activemq-website] branch master updated: Publish CVE-2020-13947",
              "refsource": "",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20231120 [SECURITY] [DLA 3657-1] activemq security update",
              "refsource": "",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-11-20T22:15Z",
      "publishedDate": "2020-09-10T19:15Z"
    }
  }
}

bit-activemq-2020-13920

Vulnerability from bitnami_vulndb

Published

2025-12-03 14:35

Modified

2025-12-03 15:08

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "activemq",
        "purl": "pkg:bitnami/activemq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.12"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13920"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
  "id": "BIT-activemq-2020-13920",
  "modified": "2025-12-03T15:08:24.036Z",
  "published": "2025-12-03T14:35:12.171Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13920"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    }
  ],
  "schema_version": "1.6.2"
}

FKIE_CVE-2020-13920

Vulnerability from fkie_nvd - Published: 2020-09-10 19:15 - Updated: 2024-11-21 05:02

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt	Vendor Advisory
security@apache.org	https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
security@apache.org	https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html	Mailing List, Third Party Advisory
security@apache.org	https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
security@apache.org	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

Impacted products

Vendor	Product	Version
apache	activemq	*
oracle	communications_diameter_signaling_router	*
oracle	flexcube_private_banking	12.0.0
oracle	flexcube_private_banking	12.1.0
debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B27C7324-562F-46E8-B69D-EE68D2F8CAA4",
              "versionEndExcluding": "5.15.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "526E2FE5-263F-416F-8628-6CD40B865780",
              "versionEndIncluding": "8.2.2",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12."
    },
    {
      "lang": "es",
      "value": "Apache ActiveMQ usa la funci\u00f3n LocateRegistry.createRegistry() para crear el registro RMI de JMX y vincular el servidor a la entrada \"jmxrmi\".\u0026#xa0;Es posible conectarse al registro sin autenticaci\u00f3n y llamar al m\u00e9todo rebind para volver a vincular jmxrmi a otra cosa.\u0026#xa0;Si un atacante crea otro servidor como proxy del original y lo enlaza, efectivamente se convierte en un ataque de tipo man in the middle y es capaz de interceptar las credenciales cuando un usuario se conecta.\u0026#xa0;Actualice a Apache ActiveMQ versi\u00f3n 5.15.12"
    }
  ],
  "id": "CVE-2020-13920",
  "lastModified": "2024-11-21T05:02:09.060",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-10T19:15:13.160",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-51793

Vulnerability from cnvd - Published: 2020-09-13

Title

Apache ActiveMQ effect身份验证漏洞

Description

Apache ActiveMQ是美国阿帕奇（Apache）软件基金会的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。effect是一款用于添加图像效果的软件包。 Apache ActiveMQ 5.15.12中存在身份验证漏洞。该漏洞源于网络系统或产品未能正确验证用户身份。攻击者可利用该漏洞不通过身份验证连接到注册表。

Severity

中

Patch Name

Apache ActiveMQ effect身份验证漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-13920

Impacted products

Name
Apache ActiveMQ 5.15.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-13920",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-13920"
    }
  },
  "description": "Apache ActiveMQ\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u6d88\u606f\u4e2d\u95f4\u4ef6\uff0c\u5b83\u652f\u6301Java\u6d88\u606f\u670d\u52a1\u3001\u96c6\u7fa4\u3001Spring Framework\u7b49\u3002effect\u662f\u4e00\u6b3e\u7528\u4e8e\u6dfb\u52a0\u56fe\u50cf\u6548\u679c\u7684\u8f6f\u4ef6\u5305\u3002\n\nApache ActiveMQ  5.15.12\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u8eab\u4efd\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0d\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u8fde\u63a5\u5230\u6ce8\u518c\u8868\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-51793",
  "openTime": "2020-09-13",
  "patchDescription": "Apache ActiveMQ\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u6d88\u606f\u4e2d\u95f4\u4ef6\uff0c\u5b83\u652f\u6301Java\u6d88\u606f\u670d\u52a1\u3001\u96c6\u7fa4\u3001Spring Framework\u7b49\u3002effect\u662f\u4e00\u6b3e\u7528\u4e8e\u6dfb\u52a0\u56fe\u50cf\u6548\u679c\u7684\u8f6f\u4ef6\u5305\u3002\r\n\r\nApache ActiveMQ  5.15.12\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u8eab\u4efd\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0d\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u8fde\u63a5\u5230\u6ce8\u518c\u8868\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ActiveMQ effect\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache ActiveMQ 5.15.12"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-13920",
  "serverity": "\u4e2d",
  "submitTime": "2020-09-12",
  "title": "Apache ActiveMQ effect\u8eab\u4efd\u9a8c\u8bc1\u6f0f\u6d1e"
}

GHSA-XGRX-XPV2-6VP4

Vulnerability from github – Published: 2022-02-09 22:15 – Updated: 2024-03-14 21:54

Summary

Improper Authentication in Apache ActiveMQ

Details

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:activemq-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T23:04:50Z",
    "nvd_published_at": "2020-09-10T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
  "id": "GHSA-xgrx-xpv2-6vp4",
  "modified": "2024-03-14T21:54:17Z",
  "published": "2022-02-09T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/commit/359ae4b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/commit/48cd61d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/commit/58382283330f7c7b110c7afd8ef4ca2648786532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/commit/b7dca5e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/activemq"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/AMQ-7400"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authentication in Apache ActiveMQ"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-13920 (GCVE-0-2020-13920)

GSD-2020-13920

bit-activemq-2020-13920

Vulnerability from bitnami_vulndb

FKIE_CVE-2020-13920

CNVD-2020-51793

GHSA-XGRX-XPV2-6VP4

Tags

Sightings

Nomenclature