Vulnerability Details : CVE-2020-13920
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
Products affected by CVE-2020-13920
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0 and up to, including, (<=) 8.2.2cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-13920
Top countries where our scanners detected CVE-2020-13920
Top open port discovered on systems with this issue
80
IPs affected by CVE-2020-13920 29
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-13920!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-13920
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13920
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2020-13920
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13920
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E
[activemq-website] branch master updated: Publish CVE-2020-13947-Apache Mail Archives
-
http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt
Vendor Advisory
-
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E
[activemq-website] branch master updated: Publish CVE-2021-26117-Apache Mail Archives
-
https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E
[activemq-website] branch master updated: Publish CVE-2020-13947 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html
[SECURITY] [DLA 2400-1] activemq security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E
[activemq-website] branch master updated: Publish CVE-2021-26117 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html
[SECURITY] [DLA 3657-1] activemq security update
Jump to