[jira] [Updated] (CASSANDRA-20612) CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in Cassandra5.0.2

Kapil Shewate (Jira) Fri, 02 May 2025 05:02:04 -0700


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-20612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kapil Shewate updated CASSANDRA-20612:
--------------------------------------
    Description: 
https://nvd.nist.gov/vuln/detail/CVE-2025-24860

Incorrect Authorization vulnerability in Apache Cassandra allowing users to 
access a datacenter or IP/CIDR groups they should not be able to when using 
CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted 
data center access can update their own permissions via data control language 
(DCL) statements on affected versions. This issue affects Apache Cassandra: 
from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for 
CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both 
CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using 
CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions 
should review data access rules for potential breaches. Users are recommended 
to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

 

 

> CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in 
> Cassandra5.0.2
> ---------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20612
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20612
>             Project: Apache Cassandra
>          Issue Type: Bug
>            Reporter: Kapil Shewate
>            Priority: Normal
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-24860
> Incorrect Authorization vulnerability in Apache Cassandra allowing users to 
> access a datacenter or IP/CIDR groups they should not be able to when using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted 
> data center access can update their own permissions via data control language 
> (DCL) statements on affected versions. This issue affects Apache Cassandra: 
> from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for 
> CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both 
> CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions 
> should review data access rules for potential breaches. Users are recommended 
> to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Updated] (CASSANDRA-20612) CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in Cassandra5.0.2

Reply via email to