[
https://issues.apache.org/jira/browse/CASSANDRA-21180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Semb Wever updated CASSANDRA-21180:
-------------------------------------------
Description:
CVE-2026-27315 – https://www.cve.org/CVERecord?id=CVE-2026-27315
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to
sensitive information, like passwords, from previously executed cqlsh command
via ~/.cassandra/cqlsh_history local file access.
--
Description: Cassandra's command-line tool, cqlsh, provides a command history
feature that allows users to recall previously executed commands using the
up/down arrow keys. These history records are saved in the
~/.cassandra/cqlsh_history file in the user's home directory.
However, cqlsh does not redact sensitive information when saving command
history. This means that if a user executes operations involving passwords
(such as logging in or creating users) within cqlsh, these passwords are
permanently stored in cleartext in the history file on the disk.
was:more info coming in a few hours…
> cqlsh improvements
> ------------------
>
> Key: CASSANDRA-21180
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21180
> Project: Apache Cassandra
> Issue Type: Task
> Components: Tool/cqlsh
> Reporter: Michael Semb Wever
> Assignee: Ekaterina Dimitrova
> Priority: Normal
> Fix For: 4.0.20, 4.1.11, 5.0.7, 6.0-alpha1, 6.0
>
>
> CVE-2026-27315 – https://www.cve.org/CVERecord?id=CVE-2026-27315
> Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to
> sensitive information, like passwords, from previously executed cqlsh command
> via ~/.cassandra/cqlsh_history local file access.
> --
> Description: Cassandra's command-line tool, cqlsh, provides a command history
> feature that allows users to recall previously executed commands using the
> up/down arrow keys. These history records are saved in the
> ~/.cassandra/cqlsh_history file in the user's home directory.
> However, cqlsh does not redact sensitive information when saving command
> history. This means that if a user executes operations involving passwords
> (such as logging in or creating users) within cqlsh, these passwords are
> permanently stored in cleartext in the history file on the disk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
