CVE-2025-23015
Last modified
CVE-2025-23015 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. EPSS estimates a 0.88% chance of exploitation in the next 30 days.
Description
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cassandra | >= 3.0.0, < 3.0.31 |
| Apache | Cassandra | >= 3.1, < 3.11.18 |
| Apache | Cassandra | >= 4.0.0, < 4.0.16 |
| Apache | Cassandra | >= 4.1.0, < 4.1.8 |
| Apache | Cassandra | >= 5.0.0, < 5.0.3 |
References
- https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3sIssue Tracking, Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/02/03/2Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2025/02/11/1Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20250214-0006/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-23015?
How severe is CVE-2025-23015?
How do I fix CVE-2025-23015?
Are you affected by CVE-2025-23015?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST