[jira] [Updated] (CASSANDRA-20612) CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in Cassandra5.0.2

Fri, 02 May 2025 05:07:52 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-20612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brandon Williams updated CASSANDRA-20612:
-----------------------------------------
    Resolution: Invalid
        Status: Resolved  (was: Triage Needed)

This is our own CVE.

"This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 
5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 
4.1.8, 5.0.3, which fixes the issue."

> CVE-2025-24860 and CVE-2025-23015 are reported by the black duck scan in 
> Cassandra5.0.2
> ---------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20612
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20612
>             Project: Apache Cassandra
>          Issue Type: Bug
>            Reporter: Kapil Shewate
>            Priority: Normal
>
> [https://nvd.nist.gov/vuln/detail/CVE-2025-24860]
> Incorrect Authorization vulnerability in Apache Cassandra allowing users to 
> access a datacenter or IP/CIDR groups they should not be able to when using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted 
> data center access can update their own permissions via data control language 
> (DCL) statements on affected versions. This issue affects Apache Cassandra: 
> from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for 
> CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both 
> CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using 
> CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions 
> should review data access rules for potential breaches. Users are recommended 
> to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
>  
> [https://nvd.nist.gov/vuln/detail/CVE-2025-23015]
> Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An 
> user with MODIFY permission ON ALL KEYSPACES can escalate privileges to 
> superuser within a targeted Cassandra cluster via unsafe actions to a system 
> resource. Operators granting data MODIFY permission on all keyspaces on 
> affected versions should review data access rules for potential breaches. 
> This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 
> 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 
> 4.1.8, 5.0.3, which fixes the issue.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to