{"containers":{"cna":{"affected":[{"product":"Apache Cassandra","vendor":"n/a","versions":[{"status":"affected","version":"2.1.0 to 2.1.22"},{"status":"affected","version":"2.2.0 to 2.2.19"},{"status":"affected","version":"3.0.0 to 3.0.23"},{"status":"affected","version":"3.11.0 to 3.11.9"}]}],"descriptions":[{"lang":"en","value":"Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-290","description":"CWE-290: Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-09-15T08:06:07.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e"},{"name":"[cassandra-commits] 20210217 [jira] [Created] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20210521-0002/"},{"name":"[cassandra-commits] 20210523 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E"},{"name":"[cassandra-commits] 20210915 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2020-17516","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Cassandra","version":{"version_data":[{"version_value":"2.1.0 to 2.1.22"},{"version_value":"2.2.0 to 2.2.19"},{"version_value":"3.0.0 to 3.0.23"},{"version_value":"3.11.0 to 3.11.9"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-290: Authentication Bypass by Spoofing"}]}]},"references":{"reference_data":[{"name":"http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e","refsource":"CONFIRM","url":"http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e"},{"name":"[cassandra-commits] 20210217 [jira] [Created] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8@%3Ccommits.cassandra.apache.org%3E"},{"name":"https://security.netapp.com/advisory/ntap-20210521-0002/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20210521-0002/"},{"name":"[cassandra-commits] 20210523 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4@%3Ccommits.cassandra.apache.org%3E"},{"name":"[cassandra-commits] 20210915 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9@%3Ccommits.cassandra.apache.org%3E"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T14:00:48.346Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e"},{"name":"[cassandra-commits] 20210217 [jira] [Created] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20210521-0002/"},{"name":"[cassandra-commits] 20210523 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E"},{"name":"[cassandra-commits] 20210915 [jira] [Updated] (CASSANDRA-16455) CVE-2020-17516 mitigation in 2.2.x branch","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2020-17516","datePublished":"2021-02-03T16:40:04.000Z","dateReserved":"2020-08-12T00:00:00.000Z","dateUpdated":"2024-08-04T14:00:48.346Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}