Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T14:00:48.346Z

Reserved: 2020-08-12T00:00:00

Link: CVE-2020-17516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-02-03T17:15:13.123

Modified: 2024-11-21T05:08:16.080

Link: CVE-2020-17516

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-02-02T00:00:00Z

Links: CVE-2020-17516 - Bugzilla

cve-icon OpenCVE Enrichment

No data.