CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions
First published: Mon Feb 03 2025(Updated: )
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Cassandra | <=3.0.30<=3.11.17<=4.0.15<=4.1.7<=5.0.2 | |
| maven/org.apache.cassandra:cassandra-all | <3.0.31 | 3.0.31 |
| maven/org.apache.cassandra:cassandra-all | >=3.1<3.11.18 | 3.11.18 |
| maven/org.apache.cassandra:cassandra-all | >=4.0-alpha1<4.0.16 | 4.0.16 |
| maven/org.apache.cassandra:cassandra-all | >=4.1-alpha1<4.1.8 | 4.1.8 |
| maven/org.apache.cassandra:cassandra-all | >=5.0-alpha1<5.0.3 | 5.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s
- http://www.openwall.com/lists/oss-security/2025/02/03/2
- http://www.openwall.com/lists/oss-security/2025/02/11/1
- https://security.netapp.com/advisory/ntap-20250214-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2025-23015
- https://github.com/apache/cassandra/commit/6207a305ba2b0cebc3241e00a843ab5dbf86d2ed
- https://github.com/apache/cassandra/commit/f33267c8fae6d71166886efc3e7ddda4114ebeef
- https://github.com/advisories/GHSA-wmcc-9vch-jmx4 (Advisory)
- https://security.netapp.com/advisory/ntap-20250214-0006
Frequently Asked Questions
What is the severity of CVE-2025-23015?
The severity of CVE-2025-23015 is classified as high, due to the potential privilege escalation risk it poses to an Apache Cassandra cluster.
How do I fix CVE-2025-23015?
To fix CVE-2025-23015, restrict the MODIFY permission on all keyspaces and review user roles to prevent unauthorized privilege escalation.
Which versions of Apache Cassandra are affected by CVE-2025-23015?
Apache Cassandra versions up to and including 3.0.30, 3.11.17, 4.0.15, 4.1.7, and 5.0.2 are affected by CVE-2025-23015.
What actions can lead to privilege escalation in CVE-2025-23015?
Unsafe actions performed by users with MODIFY permissions on all keyspaces can lead to privilege escalation to superuser within a Cassandra cluster.
What are the implications of CVE-2025-23015 for Apache Cassandra users?
The implications of CVE-2025-23015 for Apache Cassandra users include the risk of unauthorized access and control over the database environment due to the privilege escalation vulnerability.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-23015
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- agent/softwarecombine
- agent/source
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/trending
- agent/severity
- collector/nvd-api
- source/NVD
- agent/references
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/github-advisory
- source/GitHub
- alias/GHSA-wmcc-9vch-jmx4
- agent/tags
- collector/github-advisory-latest
- vendor/apache
- canonical/apache cassandra
- package-manager/maven