Vulnerability DatabaseCVE-2025-23015
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-23015
February 04, 2025
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
Affected Packages
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.0-alpha1 <4.0.16
Fix Suggestion:
Update to version 4.0.16
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.0-alpha1 <4.0.16
Fix Suggestion:
Update to version 4.0.16
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.0-alpha1 <4.0.16
Fix Suggestion:
Update to version 4.0.16
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=5.0-alpha1 <5.0.3
Fix Suggestion:
Update to version 5.0.3
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=0.7.0-rc4 <3.0.31
Fix Suggestion:
Update to version 3.0.31
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.1-alpha1 <4.1.8
Fix Suggestion:
Update to version 4.1.8
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=3.1 <3.11.18
Fix Suggestion:
Update to version 3.11.18
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=0.7.0-rc4 <3.0.31
Fix Suggestion:
Update to version 3.0.31
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=5.0-alpha1 <5.0.3
Fix Suggestion:
Update to version 5.0.3
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.0-alpha1 <4.0.16
Fix Suggestion:
Update to version 4.0.16
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=4.1-alpha1 <4.1.8
Fix Suggestion:
Update to version 4.1.8
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=3.1 <3.11.18
Fix Suggestion:
Update to version 3.11.18
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=0.7.0-rc4 <3.0.31
Fix Suggestion:
Update to version 3.0.31
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=3.1 <3.11.18
Fix Suggestion:
Update to version 3.11.18
org.apache.cassandra:cassandra-all (JAVA):
Affected version(s) >=0.7.0-rc4 <3.0.31
Fix Suggestion:
Update to version 3.0.31
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (9)
https://github.com/apache/cassandra/commit/6207a305ba2b0cebc3241e00a843ab5dbf86d2ed
http://www.openwall.com/lists/oss-security/2025/02/03/2
https://security.netapp.com/advisory/ntap-20250214-0006
https://security.netapp.com/advisory/ntap-20250214-0006/
https://github.com/apache/cassandra/commit/f33267c8fae6d71166886efc3e7ddda4114ebeef
http://www.openwall.com/lists/oss-security/2025/02/11/1
https://github.com/apache/cassandra
https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s
https://nvd.nist.gov/vuln/detail/CVE-2025-23015
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Privilege Defined With Unsafe Actions
CWE-267
EPSS
Base Score:
0.41