Miggo Logo

CVE-2020-35211: An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node.

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.46742%
CWE
-
Published
12/17/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.atomix:atomixmaven<= 3.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around improper handling of Raft consensus terms in RaftContext. Based on: 1) The explicit reference to term manipulation in RaftContext in the CVE description 2) Raft protocol mechanics where leadership is determined by term numbers 3) Standard Raft implementation patterns showing term management in RaftContext 4) Leader election being handled via AppendEntries RPCs 5) The high severity score indicating protocol-level authentication flaws. These functions likely lack proper validation of node authorization when processing term updates and leadership claims.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in *tomix v*.*.* *llows un*ut*oriz** *tomix no**s to ***om* t** l*** no** in * t*r**t *lust*r vi* m*nipul*tion o* t** v*ri**l* t*rms in R**t*ont*xt.

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r **n*lin* o* R**t *ons*nsus t*rms in R**t*ont*xt. **s** on: *) T** *xpli*it r***r*n** to t*rm m*nipul*tion in R**t*ont*xt in t** *V* **s*ription *) R**t proto*ol m****ni*s w**r* l****rs*ip is **t*rmin** *y t*r