GHSA-wmcc-9vch-jmx4

Suggest an improvement
Source
https://github.com/advisories/GHSA-wmcc-9vch-jmx4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-wmcc-9vch-jmx4/GHSA-wmcc-9vch-jmx4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wmcc-9vch-jmx4
Aliases
Published
2025-02-04T12:30:59Z
Modified
2025-02-18T22:49:06.196236Z
Downstream
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions
Details

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.

This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.

Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

Database specific
{
    "nvd_published_at": "2025-02-04T10:15:09Z",
    "cwe_ids": [
        "CWE-267"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-04T18:32:00Z"
}
References

Affected packages

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0-alpha1
Fixed
5.0.3

Affected versions

5.*

5.0-alpha1
5.0-alpha2
5.0-beta1
5.0-rc1
5.0-rc2
5.0.0
5.0.1
5.0.2

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1-alpha1
Fixed
4.1.8

Affected versions

4.*

4.1-alpha1
4.1-beta1
4.1-rc1
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0-alpha1
Fixed
4.0.16

Affected versions

4.*

4.0-alpha1
4.0-alpha2
4.0-alpha3
4.0-alpha4
4.0-beta1
4.0-beta2
4.0-beta3
4.0-beta4
4.0-rc1
4.0-rc2
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1
Fixed
3.11.18

Affected versions

3.*

3.1
3.1.1
3.2
3.2.1
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9
3.11.10
3.11.11
3.11.12
3.11.13
3.11.14
3.11.15
3.11.16
3.11.17

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.31

Affected versions

0.*

0.7.0-rc4
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.6-2
0.7.7
0.7.8
0.7.9
0.7.10
0.8.0-beta1
0.8.0-beta2
0.8.0-rc1
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10

1.*

1.0.0-beta1
1.0.0-rc1
1.0.0-rc2
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.1.0-beta1
1.1.0-beta2
1.1.0-rc1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.2.0-beta1
1.2.0-beta2
1.2.0-beta3
1.2.0-rc1
1.2.0-rc2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19

2.*

2.0.0-beta1
2.0.0-beta2
2.0.0-rc1
2.0.0-rc2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.1.0-beta1
2.1.0-beta2
2.1.0-rc1
2.1.0-rc2
2.1.0-rc3
2.1.0-rc4
2.1.0-rc5
2.1.0-rc6
2.1.0-rc7
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.20
2.1.21
2.1.22
2.2.0-beta1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

3.*

3.0.0-alpha1
3.0.0-beta1
3.0.0-beta2
3.0.0-rc1
3.0.0-rc2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.0.22
3.0.23
3.0.24
3.0.25
3.0.26
3.0.27
3.0.28
3.0.29
3.0.30