Apache Cassandra up to 2.1.22/2.2.19/3.0.23/3.11.9 missing encryption

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Apache Cassandra up to 2.1.22/2.2.19/3.0.23/3.11.9. It has been rated as problematic. This issue affects an unknown functionality. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field02/04/2021 10:13 AM02/23/2021 12:12 PM
vendorApacheApache
nameCassandraCassandra
version<=2.1.22/2.2.19/3.0.23/3.11.9<=2.1.22/2.2.19/3.0.23/3.11.9
cwe311 (weak encryption)311 (weak encryption)
risk11
cvss3_vuldb_acHH
cvss3_vuldb_cLL
cvss3_vuldb_iNN
cvss3_vuldb_aNN
urlhttp://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3ehttp://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e
cveCVE-2020-17516CVE-2020-17516
date1612393200 (02/04/2021)1612393200 (02/04/2021)
cvss2_vuldb_acHH
cvss2_vuldb_ciPP
cvss2_vuldb_iiNN
cvss2_vuldb_aiNN
cvss2_vuldb_avAA
cvss2_vuldb_auSS
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss2_vuldb_rcNDND
cvss3_vuldb_avAA
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss3_vuldb_rcXX
cvss2_vuldb_basescore1.41.4
cvss2_vuldb_tempscore1.41.4
cvss3_vuldb_basescore2.62.6
cvss3_vuldb_tempscore2.62.6
cvss3_meta_basescore2.62.6
cvss3_meta_tempscore2.62.6
price_0day$0-$5k$0-$5k
cve_assigned1597183200
cve_nvd_summaryApache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.
confirm_urlhttp://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e

Want to stay up to date on a daily basis?

Enable the mail alert feature now!