CVE-2020-1960: Injection Vulnerability

May 14, 2020 (updated July 21, 2021)

When running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name > .port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker’s control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

References

nvd.nist.gov/vuln/detail/CVE-2020-1960

Detect and mitigate CVE-2020-1960 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.1.0 up to 1.1.5, all versions starting from 1.2.0 up to 1.2.1, all versions starting from 1.3.0 up to 1.3.3, all versions starting from 1.4.0 up to 1.4.2, all versions starting from 1.5.0 up to 1.5.6, all versions starting from 1.6.0 up to 1.6.4, all versions starting from 1.7.0 up to 1.7.2, all versions starting from 1.8.0 up to 1.8.3, all versions starting from 1.9.0 up to 1.9.2, version 1.10.0