GHSA-2vxm-vp4c-fjfw

Suggest an improvement
Source
https://github.com/advisories/GHSA-2vxm-vp4c-fjfw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2vxm-vp4c-fjfw/GHSA-2vxm-vp4c-fjfw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2vxm-vp4c-fjfw
Aliases
Published
2022-02-09T01:01:22Z
Modified
2024-02-17T05:33:40.672689Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Authentication Bypass in Apache Cassandra
Details

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Database specific
{
    "nvd_published_at": "2021-02-03T17:15:00Z",
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T22:58:25Z"
}
References

Affected packages

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
3.0.24

Affected versions

2.*

2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.20
2.1.21
2.1.22
2.2.0-beta1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

3.*

3.0.0-alpha1
3.0.0-beta1
3.0.0-beta2
3.0.0-rc1
3.0.0-rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.0.22
3.0.23

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.11.0
Fixed
3.11.10

Affected versions

3.*

3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9