CVE-2025-23015

CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions

Vendor Apache Software Foundation

Product Apache Cassandra

Weakness CWE-267

Published February 4, 2025

Last update February 15, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Key dates

Disclosure timeline

February 4, 2025 CVE published

February 15, 2025 Record updated

Identifiers

CVE CVE-2025-23015

CWE CWE-267

Affected versions

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 3.0.0 and ≤ 3.0.30

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 3.1.0 and ≤ 3.11.17

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 4.0.0 and ≤ 4.0.15

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 4.1.0 and ≤ 4.1.7

Vendor Apache Software Foundation

Product Apache Cassandra

Affected ≥ 5.0.0 and ≤ 5.0.2