{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-27137","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2024-02-20T12:29:07.597Z","datePublished":"2025-02-04T10:19:44.109Z","dateUpdated":"2025-02-15T00:10:33.257Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Cassandra","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.0.15","status":"affected","version":"4.0.2","versionType":"semver"},{"lessThan":"4.1.8","status":"affected","version":"4.1.0","versionType":"semver"},{"lessThan":"5.0.3","status":"affected","version":"5.0-beta1","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Apache Cassandra it is possible for a local attacker without access\n to the Apache Cassandra process or configuration files to manipulate \nthe RMI registry to perform a man-in-the-middle attack and capture user \nnames and passwords used to access the JMX interface. The attacker can \nthen use these credentials to access the JMX interface and perform \nunauthorized operations.<br></p><p>This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.<br></p><p>This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.<br></p><p>Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.<br></p>"}],"value":"In Apache Cassandra it is possible for a local attacker without access\n to the Apache Cassandra process or configuration files to manipulate \nthe RMI registry to perform a man-in-the-middle attack and capture user \nnames and passwords used to access the JMX interface. The attacker can \nthen use these credentials to access the JMX interface and perform \nunauthorized operations.\n\n\nThis is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.\n\n\nThis issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.\n\n\nOperators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue."}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"description":"Unrestricted deserialization of JMX authentication credentials","lang":"en"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-02-04T10:19:44.109Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm"}],"source":{"discovery":"UNKNOWN"},"title":"Apache Cassandra: unrestricted deserialization of JMX authentication credentials","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-287","lang":"en","description":"CWE-287 Improper Authentication"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-02-06T19:45:49.479993Z","id":"CVE-2024-27137","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-06T20:53:33.764Z"}},{"title":"CVE Program Container","references":[{"url":"https://security.netapp.com/advisory/ntap-20250214-0004/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-02-15T00:10:33.257Z"}}]}}