CVE-2020-13920

MEDIUM

Apache ActiveMQ < 5.15.12 - Unauthenticated JMX RMI Registry Manipulation

Title source: llm

Description

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.

References (6)

Core 6

Core References

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html

Mailing List mailing-list

https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E

Mailing List mailing-list

https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html

Vendor Advisory

http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Scores

CVSS v3 5.9

EPSS 0.0019

EPSS Percentile 40.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-306

Status published

Products (6)

apache/activemq < 5.15.12

debian/debian_linux 9.0

oracle/communications_diameter_signaling_router 8.0.0 - 8.2.2

oracle/flexcube_private_banking 12.0.0

oracle/flexcube_private_banking 12.1.0

org.apache.activemq/activemq-parent 0 - 5.15.12Maven

Published Sep 10, 2020

Tracked Since Feb 18, 2026