Vulnerability Description
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cassandra | >= 3.0.0, < 3.0.31 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3sIssue TrackingMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/02/03/2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2025/02/11/1Mailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20250214-0006/Third Party Advisory
FAQ
What is CVE-2025-23015?
CVE-2025-23015 is a vulnerability with a CVSS score of 8.8 (HIGH). Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via un...
How severe is CVE-2025-23015?
CVE-2025-23015 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-23015?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cassandra.