CVE-2023-30601 HIGH

CVE-2023-30601: Apache Cassandra: Privilege escalation when enabling FQL/Audit logs

Vendor Apache Software Foundation

Product Apache Cassandra

Weakness CWE-269

Published May 30, 2023

Last update October 9, 2024

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users. MITIGATION Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.

Key dates

Disclosure timeline

May 30, 2023 CVE published

October 9, 2024 Record updated

Identifiers

CVE CVE-2023-30601

CWE CWE-269

CVSS 7.8 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 4.0.0 and ≤ 4.0.9

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 4.1.0 and ≤ 4.1.1