CVE-2020-1929 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2020-1929?

CVE-2020-1929 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-1929?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Beam.

Vulnerability Description

The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Beam	>= 2.10.0, <= 2.16.0

Related Weaknesses (CWE)

CWE-295

References

https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaeMailing ListVendor Advisory
https://lists.apache.org/thread.html/rdd0e85b71bf0274471b40fa1396d77f7b2d1165eaeMailing ListVendor Advisory

FAQ

What is CVE-2020-1929?

CVE-2020-1929 is a vulnerability with a CVSS score of 7.5 (HIGH). The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables tr...

How severe is CVE-2020-1929?

CVE-2020-1929 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-1929?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Beam.