A performance regression was detected in the security releases 3.0.31 [1] and 3.11.18 [2]. Users affected by this vulnerability are recommended to upgrade to versions 3.0.32 and 3.11.19 instead.
Remaining versions are unaffected. [1] - https://lists.apache.org/thread/yprngr9cmp9c43m1c56thv1v0v6y5ywq [2] - https://lists.apache.org/thread/hc9shwlm1kmxdxosbh3qo2xooqoo3sc6 On Mon, Feb 3, 2025 at 6:19 PM Paulo Motta <pa...@apache.org> wrote: > > Severity: moderate > > Affected versions: > > - Apache Cassandra 3.0.0 through 3.0.30 > - Apache Cassandra 3.1.0 through 3.11.17 > - Apache Cassandra 4.0.0 through 4.0.15 > - Apache Cassandra 4.1.0 through 4.1.7 > - Apache Cassandra 5.0.0 through 5.0.2 > > Description: > > Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An > user with MODIFY permission ON ALL KEYSPACES can escalate privileges to > superuser within a targeted Cassandra cluster via unsafe actions to a system > resource. Operators granting data MODIFY permission on all keyspaces on > affected versions should review data access rules for potential breaches. > > This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, > 5.0.2. > > Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, > 5.0.3, which fixes the issue. > > This issue was reported by Adam Pond, Ali Mirheidari, Terry Thibault, and > Will Brattain of Apple Services Engineering Security. > > References: > > https://cassandra.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-23015 >
