{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-13946","title":"Title"},{"category":"description","text":"In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-13946","url":"https://www.suse.com/security/cve/CVE-2020-13946"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1184734 for CVE-2020-13946","url":"https://bugzilla.suse.com/1184734"}],"title":"SUSE CVE CVE-2020-13946","tracking":{"current_release_date":"2025-04-25T05:31:47Z","generator":{"date":"2023-02-15T03:58:09Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-13946","initial_release_date":"2023-02-15T03:58:09Z","revision_history":[{"date":"2023-02-15T03:58:09Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:35:36Z","number":"3","summary":"Current version"},{"date":"2025-02-15T06:14:04Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:35:03Z","number":"5","summary":"Current version"},{"date":"2025-03-13T16:50:29Z","number":"6","summary":"Current version"},{"date":"2025-03-15T09:57:24Z","number":"7","summary":"Current version"},{"date":"2025-04-25T05:31:47Z","number":"8","summary":"Current version"}],"status":"interim","version":"8"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"HPE Helion OpenStack 8","product":{"name":"HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8","product_identification_helper":{"cpe":"cpe:/o:suse:hpe-helion-openstack:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 8","product":{"name":"SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 9","product":{"name":"SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:9"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"cassandra","product":{"name":"cassandra","product_id":"cassandra","product_identification_helper":{"cpe":"cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/cassandra@?upstream=cassandra.src.rpm"}}},{"category":"product_version","name":"cassandra-tools","product":{"name":"cassandra-tools","product_id":"cassandra-tools","product_identification_helper":{"cpe":"cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/cassandra-tools@?upstream=cassandra.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"cassandra as component of HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8:cassandra"},"product_reference":"cassandra","relates_to_product_reference":"HPE Helion OpenStack 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra-tools as component of HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8:cassandra-tools"},"product_reference":"cassandra-tools","relates_to_product_reference":"HPE Helion OpenStack 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra as component of SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8:cassandra"},"product_reference":"cassandra","relates_to_product_reference":"SUSE OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra-tools as component of SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8:cassandra-tools"},"product_reference":"cassandra-tools","relates_to_product_reference":"SUSE OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra as component of SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9:cassandra"},"product_reference":"cassandra","relates_to_product_reference":"SUSE OpenStack Cloud 9"},{"category":"default_component_of","full_product_name":{"name":"cassandra-tools as component of SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9:cassandra-tools"},"product_reference":"cassandra-tools","relates_to_product_reference":"SUSE OpenStack Cloud 9"},{"category":"default_component_of","full_product_name":{"name":"cassandra as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:cassandra"},"product_reference":"cassandra","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra-tools as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:cassandra-tools"},"product_reference":"cassandra-tools","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"cassandra as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:cassandra"},"product_reference":"cassandra","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"cassandra-tools as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:cassandra-tools"},"product_reference":"cassandra-tools","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2020-13946","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-13946"}],"notes":[{"category":"general","text":"In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.","title":"CVE description"}],"product_status":{"known_not_affected":["HPE Helion OpenStack 8:cassandra","HPE Helion OpenStack 8:cassandra-tools","SUSE OpenStack Cloud 8:cassandra","SUSE OpenStack Cloud 8:cassandra-tools","SUSE OpenStack Cloud 9:cassandra","SUSE OpenStack Cloud 9:cassandra-tools","SUSE OpenStack Cloud Crowbar 8:cassandra","SUSE OpenStack Cloud Crowbar 8:cassandra-tools","SUSE OpenStack Cloud Crowbar 9:cassandra","SUSE OpenStack Cloud Crowbar 9:cassandra-tools"]},"references":[{"category":"external","summary":"CVE-2020-13946","url":"https://www.suse.com/security/cve/CVE-2020-13946"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1184734 for CVE-2020-13946","url":"https://bugzilla.suse.com/1184734"}],"threats":[{"category":"impact","date":"2020-09-01T19:17:53Z","details":"moderate"}],"title":"CVE-2020-13946"}]}