apache cxf CVE-2020-1954 vulnerability in Apache and Other Products
Published on April 1, 2020

product logo product logo product logo
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the createMBServerConnectorFactory property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.

NVD


Products Associated with CVE-2020-1954

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-1954 are published in these products:

Apache CXF
 
Oracle Communications Diameter Signaling Router
 
Oracle Communications Element Manager
 
Oracle Communications Session Report Manager
 
Oracle Enterprise Manager Base Platform
 
Oracle Peoplesoft Enterprise Peopletools
 
NetApp Oncommand Workflow Automation
 
NetApp Snapmanager
 
Oracle Communications Diameter Signaling Router Idih
 
Oracle Communications Session Route Manager
 

Affected Versions

Apache CXF Version affects all versions prior to 3.3.6 and 3.2.13 is affected by CVE-2020-1954

Exploit Probability

EPSS
0.22%
Percentile
43.98%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.