CVE-2025-24860

MEDIUM

5.4

Descripcion

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Detalles CVE

Puntuacion CVSS v3.15.4

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado2/4/2025

Ultima modificacion6/9/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

apache:cassandra

Debilidades (CWE)

CWE-863

Referencias

https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d(security@apache.org)

http://www.openwall.com/lists/oss-security/2025/02/03/3(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20250214-0005/(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.