Man-in-the-Middle Vulnerability in Apache CXF JMX Integration
CVE-2020-1954

5.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Cxf
Vendor
CVE Published:
1 April 2020

What is CVE-2020-1954?

Apache CXF, a popular framework for building web services, can be exploited when the 'createMBServerConnectorFactory' property of the default InstrumentationManagerImpl is enabled. This vulnerability allows attackers on the same host to carry out a man-in-the-middle attack, where they can connect to the JMX registry and redirect communication to a malicious server. Consequently, sensitive information sent and received over JMX could be compromised as the attacker acts as a proxy, intercepting data streams.

Affected Version(s)

Apache CXF affects all versions prior to 3.3.6 and 3.2.13

References

https://www.oracle.com/security-alerts/cpuoct2020.html
x_refsource_MISC
http://cxf.apache.org/security-advisories.data/CVE-2020-1...
x_refsource_MISC
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.