CVE-2020-1960
Summary
| CVE | CVE-2020-1960 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-14 17:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name>.port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Flink | 1.10.0 | - | All | All |
| Application | Apache | Flink | 1.10.0 | - | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
| Application | Apache | Flink | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Pony Mail! | MISC | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MISC | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Exploit, Mailing List, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982412 Java (maven) Security Update for org.apache.flink:flink-core (GHSA-6g88-99wj-8mgg)