CVE-2024-27137

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

n Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11. Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.

References

Link	Resource
https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm	Mailing List Vendor Advisory Issue Tracking
https://security.netapp.com/advisory/ntap-20250214-0004/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:cassandra::::::::
	cpe:2.3:a:apache:cassandra::::::::
	cpe:2.3:a:apache:cassandra::::::::
	cpe:2.3:a:apache:cassandra:5.0.0:-::::::
	cpe:2.3:a:apache:cassandra:5.0.0:beta1::::::
	cpe:2.3:a:apache:cassandra:5.0.0:rc1::::::
	cpe:2.3:a:apache:cassandra:5.0.0:rc2::::::

History

14 Jul 2025, 12:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:cassandra:5.0.0:beta1:::::: cpe:2.3:a:apache:cassandra:5.0.0:rc1:::::: cpe:2.3:a:apache:cassandra:::::::: cpe:2.3:a:apache:cassandra:5.0.0:-:::::: cpe:2.3:a:apache:cassandra:5.0.0:rc2::::::
First Time		Apache cassandra Apache
References	~~() https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm -~~	() https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm - Mailing List, Vendor Advisory, Issue Tracking
References	~~() https://security.netapp.com/advisory/ntap-20250214-0004/ -~~	() https://security.netapp.com/advisory/ntap-20250214-0004/ - Third Party Advisory

15 Feb 2025, 01:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250214-0004/ -

06 Feb 2025, 21:15

Type	Values Removed	Values Added
CWE		CWE-287

06 Feb 2025, 20:15

Type	Values Removed	Values Added
Summary		(es) En Apache Cassandra, es posible que un atacante local sin acceso al proceso de Apache Cassandra o a los archivos de configuración manipule el registro RMI para realizar un ataque de intermediario y capturar los nombres de usuario y las contraseñas utilizadas para acceder a la interfaz JMX. El atacante puede utilizar estas credenciales para acceder a la interfaz JMX y realizar operaciones no autorizadas. Esta es la misma vulnerabilidad para la que se emitió CVE-2020-13946, pero la opción Java se cambió en JDK10. Este problema afecta a Apache Cassandra desde la versión 4.0.2 hasta la 5.0.2 que ejecuta Java 11. Se recomienda a los operadores que actualicen a una versión igual o posterior a la 4.0.15, 4.1.8 o 5.0.3, que soluciona el problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

04 Feb 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-04 11:15

Updated : 2025-07-14 12:43

NVD link : CVE-2024-27137

Mitre link : CVE-2024-27137

CVE.ORG link : CVE-2024-27137

JSON object : View

Products Affected

apache

cassandra

CWE

CWE-287

Improper Authentication

5.3 /10