Vulnerability Details CVE-2020-17516
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 4.3
References
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210521-0002/
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210521-0002/
Products affected by CVE-2020-17516
-
cpe:2.3:a:apache:cassandra:2.1.0
-
cpe:2.3:a:apache:cassandra:2.1.1
-
cpe:2.3:a:apache:cassandra:2.1.12
-
cpe:2.3:a:apache:cassandra:2.1.13
-
cpe:2.3:a:apache:cassandra:2.1.14
-
cpe:2.3:a:apache:cassandra:2.1.15
-
cpe:2.3:a:apache:cassandra:2.1.16
-
cpe:2.3:a:apache:cassandra:2.1.17
-
cpe:2.3:a:apache:cassandra:2.1.18
-
cpe:2.3:a:apache:cassandra:2.1.19
-
cpe:2.3:a:apache:cassandra:2.1.2
-
cpe:2.3:a:apache:cassandra:2.1.20
-
cpe:2.3:a:apache:cassandra:2.1.21
-
cpe:2.3:a:apache:cassandra:2.1.22
-
cpe:2.3:a:apache:cassandra:2.1.3
-
cpe:2.3:a:apache:cassandra:2.1.4
-
cpe:2.3:a:apache:cassandra:2.1.5
-
cpe:2.3:a:apache:cassandra:2.1.6
-
cpe:2.3:a:apache:cassandra:2.1.7
-
cpe:2.3:a:apache:cassandra:2.1.8
-
cpe:2.3:a:apache:cassandra:2.1.9
-
cpe:2.3:a:apache:cassandra:2.2.0
-
cpe:2.3:a:apache:cassandra:2.2.1
-
cpe:2.3:a:apache:cassandra:2.2.10
-
cpe:2.3:a:apache:cassandra:2.2.11
-
cpe:2.3:a:apache:cassandra:2.2.12
-
cpe:2.3:a:apache:cassandra:2.2.13
-
cpe:2.3:a:apache:cassandra:2.2.14
-
cpe:2.3:a:apache:cassandra:2.2.15
-
cpe:2.3:a:apache:cassandra:2.2.16
-
cpe:2.3:a:apache:cassandra:2.2.17
-
cpe:2.3:a:apache:cassandra:2.2.18
-
cpe:2.3:a:apache:cassandra:2.2.19
-
cpe:2.3:a:apache:cassandra:3.0.0
-
cpe:2.3:a:apache:cassandra:3.0.1
-
cpe:2.3:a:apache:cassandra:3.0.10
-
cpe:2.3:a:apache:cassandra:3.0.11
-
cpe:2.3:a:apache:cassandra:3.0.12
-
cpe:2.3:a:apache:cassandra:3.0.13
-
cpe:2.3:a:apache:cassandra:3.0.14
-
cpe:2.3:a:apache:cassandra:3.0.15
-
cpe:2.3:a:apache:cassandra:3.0.16
-
cpe:2.3:a:apache:cassandra:3.0.17
-
cpe:2.3:a:apache:cassandra:3.0.18
-
cpe:2.3:a:apache:cassandra:3.0.19
-
cpe:2.3:a:apache:cassandra:3.0.2
-
cpe:2.3:a:apache:cassandra:3.0.20
-
cpe:2.3:a:apache:cassandra:3.0.21
-
cpe:2.3:a:apache:cassandra:3.0.22
-
cpe:2.3:a:apache:cassandra:3.0.23
-
cpe:2.3:a:apache:cassandra:3.0.3
-
cpe:2.3:a:apache:cassandra:3.0.4
-
cpe:2.3:a:apache:cassandra:3.0.5
-
cpe:2.3:a:apache:cassandra:3.0.6
-
cpe:2.3:a:apache:cassandra:3.0.7
-
cpe:2.3:a:apache:cassandra:3.0.8
-
cpe:2.3:a:apache:cassandra:3.0.9
-
cpe:2.3:a:apache:cassandra:3.11.0
-
cpe:2.3:a:apache:cassandra:3.11.1
-
cpe:2.3:a:apache:cassandra:3.11.2
-
cpe:2.3:a:apache:cassandra:3.11.3
-
cpe:2.3:a:apache:cassandra:3.11.4
-
cpe:2.3:a:apache:cassandra:3.11.5
-
cpe:2.3:a:apache:cassandra:3.11.6
-
cpe:2.3:a:apache:cassandra:3.11.7
-
cpe:2.3:a:apache:cassandra:3.11.8
-
cpe:2.3:a:apache:cassandra:3.11.9