Privilege Defined With Unsafe Actions Affecting org.apache.cassandra:cassandra-all package, versions [3.0.0,3.0.31)[3.1,3.11.18)[4.0-alpha1,4.1.8)[5.0-alpha1,5.0.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.32% (55th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHECASSANDRA-8688120
  • published5 Feb 2025
  • disclosed4 Feb 2025
  • creditAdam Pond, Ali Mirheidari, Terry Thibault, Will Brattain

Introduced: 4 Feb 2025

CVE-2025-23015  (opens in a new tab)
CWE-267  (opens in a new tab)

How to fix?

Upgrade org.apache.cassandra:cassandra-all to version 3.0.31, 3.11.18, 4.1.8, 5.0.3 or higher.

Overview

org.apache.cassandra:cassandra-all is a maven plugin for the Apache Cassandra Project. Which, develops a highly scalable second-generation distributed database, bringing together Dynamo's fully distributed design and Bigtable's ColumnFamily-based data model.

Affected versions of this package are vulnerable to Privilege Defined With Unsafe Actions in auth/Permission.java. A user who has MODIFY permission on ALL KEYSPACES can escalate privileges to superuser because ALL KEYSPACES allows access and modification of system keyspaces by default.

Note: The fix for this vulnerability was found to have been improperly applied to 4.0.16, and first fixed for 4.0 in 4.0.17. The vulnerability in 4.0.16 is tracked as CVE-2025-26467.

CVSS Base Scores

version 4.0
version 3.1