CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27137 – Apache Cassandra: unrestricted deserialization of JMX authentication credentials
https://notcve.org/view.php?id=CVE-2024-27137
04 Feb 2025 — In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10. This issue affects Apache Cassan... • https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24860 – Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions
https://notcve.org/view.php?id=CVE-2025-24860
04 Feb 2025 — Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both Cass... • https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-23015 – Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions
https://notcve.org/view.php?id=CVE-2025-23015
04 Feb 2025 — Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.... • https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s • CWE-267: Privilege Defined With Unsafe Actions •