Home > Vulnerability Database > CVE-2024-27137

Mend.io Vulnerability Database

CVE-2024-27137

Good to know:

Date: February 4, 2025

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11. Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.

Severity Score

5.3

Related Resources (6)

Url: https://security.netapp.com/advisory/ntap-20250214-0004/

Url: https://security.netapp.com/advisory/ntap-20250214-0004

Url: https://github.com/apache/cassandra

Url: https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27137

Url: https://www.mend.io/vulnerability-database/CVE-2024-27137

Severity Score

5.3

Weakness Type (CWE)

Improper Authentication

CWE-287

Exposure of Resource to Wrong Sphere

CWE-668

Top Fix

Upgrade Version

Upgrade to version org.apache.cassandra:cassandra-all:4.1.8;org.apache.cassandra:cassandra-all:4.0.15;org.apache.cassandra:cassandra-all:5.0.3

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27137

Good to know:

Date: February 4, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?