CVE-2020-1929 – org.apache.beam:beam-sdks-java-io-mongodb

Package

Manager: maven
Name: org.apache.beam:beam-sdks-java-io-mongodb
Vulnerable Version: >=2.10.0 <2.17.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.004 pctl0.59899

Details

Improper Certificate Validation in Apache Beam The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM.

Metadata

Created: 2020-05-06T20:49:04Z
Modified: 2021-08-25T21:06:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-2m7g-9q74-9m3q/GHSA-2m7g-9q74-9m3q.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-2m7g-9q74-9m3q
Finding: F163
Auto approve: 1