CVE-2025-23015

moderate-risk

Published 2025-02-04

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Do I need to act?

0.41% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Cassandra

Affected Vendors

Apache

References (4)

Issue Tracking https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s

Mailing List http://www.openwall.com/lists/oss-security/2025/02/03/2

Mailing List http://www.openwall.com/lists/oss-security/2025/02/11/1

Third Party Advisory https://security.netapp.com/advisory/ntap-20250214-0006/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal