{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-23015","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2025-01-10T03:33:46.731Z","datePublished":"2025-02-04T09:37:18.580Z","dateUpdated":"2025-02-15T00:10:34.356Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Cassandra","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"3.0.30","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThanOrEqual":"3.11.17","status":"affected","version":"3.1.0","versionType":"semver"},{"lessThanOrEqual":"4.0.15","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThanOrEqual":"4.1.7","status":"affected","version":"4.1.0","versionType":"semver"},{"lessThanOrEqual":"5.0.2","status":"affected","version":"5.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Adam Pond of Apple Services Engineering Security"},{"lang":"en","type":"finder","value":"Ali Mirheidari of Apple Services Engineering Security"},{"lang":"en","type":"finder","value":"Terry Thibault of Apple Services Engineering Security"},{"lang":"en","type":"finder","value":"Will Brattain of Apple Services Engineering Security"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.<br><br>This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.<br><br>Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.<br>"}],"value":"Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.\n\nThis issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.\n\nUsers are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-267","description":"CWE-267 Privilege Defined With Unsafe Actions","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-02-04T09:37:18.580Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s"}],"source":{"discovery":"UNKNOWN"},"title":"Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2025/02/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2025/02/11/1"},{"url":"https://security.netapp.com/advisory/ntap-20250214-0006/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-02-15T00:10:34.356Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":8.8,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-02-04T18:28:23.512076Z","id":"CVE-2025-23015","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-04T18:28:55.466Z"}}]}}