Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.
References
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
16 Sep 2021, 13:19
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9@%3Ccommits.cassandra.apache.org%3E - Mailing List, Third Party Advisory |
15 Sep 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 May 2021, 19:28
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4@%3Ccommits.cassandra.apache.org%3E - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20210521-0002/ - Mailing List, Third Party Advisory |
23 May 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 May 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Feb 2021, 18:10
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8@%3Ccommits.cassandra.apache.org%3E - Mailing List, Vendor Advisory |
17 Feb 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Feb 2021, 22:04
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e - Mailing List, Vendor Advisory | |
CWE | CWE-290 | |
CPE | cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 7.5 |
03 Feb 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-02-03 17:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-17516
Mitre link : CVE-2020-17516
CVE.ORG link : CVE-2020-17516
JSON object : View
Products Affected
apache
- cassandra
CWE
CWE-290
Authentication Bypass by Spoofing