BIT-cassandra-2023-30601

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/cassandra/BIT-cassandra-2023-30601.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-cassandra-2023-30601

Aliases

CVE-2023-30601
GHSA-m9p2-j4hg-g373

Published

2024-03-06T10:50:45.472Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache CassandraThis issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.WORKAROUNDThe vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.MITIGATIONUpgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allownodetoolarchive_command as false.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

https://lists.apache.org/thread/f74p9jdhmmp7vtrqd8lgm8bq3dhxl8vn

Affected packages

Bitnami / cassandra

Package

Name: cassandra
Purl: pkg:bitnami/cassandra

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.0.10

Introduced

4.1.0

Fixed

4.1.2