[jira] [Commented] (CASSANDRA-20612) CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in Cassandra5.0.2

Fri, 02 May 2025 05:03:18 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17948890#comment-17948890
 ] 

Kapil Shewate commented on CASSANDRA-20612:
-------------------------------------------

Can anyone confirm if Cassandra 5.0.2 is vulnerable.

> CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in 
> Cassandra5.0.2
> ---------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20612
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20612
>             Project: Apache Cassandra
>          Issue Type: Bug
>            Reporter: Kapil Shewate
>            Priority: Normal
>
> [https://nvd.nist.gov/vuln/detail/CVE-2025-24860]
> Incorrect Authorization vulnerability in Apache Cassandra allowing users to 
> access a datacenter or IP/CIDR groups they should not be able to when using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted 
> data center access can update their own permissions via data control language 
> (DCL) statements on affected versions. This issue affects Apache Cassandra: 
> from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for 
> CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both 
> CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions 
> should review data access rules for potential breaches. Users are recommended 
> to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
>  
> [https://nvd.nist.gov/vuln/detail/CVE-2025-23015]
> Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An 
> user with MODIFY permission ON ALL KEYSPACES can escalate privileges to 
> superuser within a targeted Cassandra cluster via unsafe actions to a system 
> resource. Operators granting data MODIFY permission on all keyspaces on 
> affected versions should review data access rules for potential breaches. 
> This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 
> 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 
> 4.1.8, 5.0.3, which fixes the issue.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to