CVE-2020-1954

MEDIUM

Apache CXF < 3.2.13 - Man-in-the-Middle Attack via JMX InstrumentationManager

Title source: llm
STIX 2.1

Description

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.

References (6)

Core 6
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Patch, Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220210-0001/

Scores

CVSS v3 5.3
EPSS 0.0022
EPSS Percentile 44.0%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Status published
Products (11)
apache/cxf < 3.2.13
netapp/oncommand_workflow_automation
netapp/snapmanager
oracle/communications_diameter_signaling_router 8.0.0 - 8.2.2
oracle/communications_diameter_signaling_router_idih\ 8.0.0 - 8.2.2
oracle/communications_element_manager 8.2.0 - 8.2.2
oracle/communications_session_report_manager 8.2.0 - 8.2.2
oracle/communications_session_route_manager 8.2.0 - 8.2.2
oracle/enterprise_manager_base_platform 13.2.1.0
oracle/peoplesoft_enterprise_peopletools 8.56
... and 1 more
Published Apr 01, 2020
Tracked Since Feb 18, 2026