Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-24860

Опубликовано: 04 фев. 2025
Источник: nvd
CVSS3: 5.4
EPSS Низкий

Описание

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.

Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.

This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.

Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Версия от 4.0.0 (включая) до 4.0.16 (исключая)
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Версия от 4.1.0 (включая) до 4.1.8 (исключая)
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Версия от 5.0.0 (включая) до 5.0.3 (исключая)

EPSS

Процентиль: 26%
0.0009
Низкий

5.4 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

redhat логотип

CVE-2025-24860

CVSS3: 5.4
redhat
около 1 года назад

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

debian логотип

CVE-2025-24860

CVSS3: 5.4
debian
около 1 года назад

Incorrect Authorization vulnerability in Apache Cassandra allowing use ...

github логотип

GHSA-3cjf-fwcq-xh22

CVSS3: 5.4
github
около 1 года назад

Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions

fstec логотип

BDU:2025-01159

CVSS3: 9.9
fstec
около 1 года назад

Уязвимость компонентов CassandraNetworkAuthorizer и CassandraCIDRAuthorizer распределённой системы управления базами данных Apache Cassandra, позволяющая нарушителю повысить свои привилегии

redos логотип

ROS-20251203-03

CVSS3: 9.9
redos
2 месяца назад

Множественные уязвимости Cassandra

EPSS

Процентиль: 26%
0.0009
Низкий

5.4 Medium

CVSS3

Дефекты

CWE-863