CVE-2025-23015

Summary

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.

This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.

Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Cassandra3.0.0 <= 3.0.30affected
Apache Software FoundationApache Cassandra3.1.0 <= 3.11.17affected
Apache Software FoundationApache Cassandra4.0.0 <= 4.0.15affected
Apache Software FoundationApache Cassandra4.1.0 <= 4.1.7affected
Apache Software FoundationApache Cassandra5.0.0 <= 5.0.2affected

Weaknesses

  • CWE-267: CWE-267 Privilege Defined With Unsafe Actions

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References