CVE-2025-24860

low-risk

Published 2025-02-04

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Cassandra

Affected Vendors

Apache

References (3)

Vendor Advisory https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d

Mailing List http://www.openwall.com/lists/oss-security/2025/02/03/3

Third Party Advisory https://security.netapp.com/advisory/ntap-20250214-0005/

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal