Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions

[Paulo Motta <paulo () apache org>]

A performance regression was detected in the security releases 3.0.31
[1] and 3.11.18 [2]. Users affected by this vulnerability are
recommended to upgrade to versions 3.0.32 and 3.11.19 instead.

Remaining versions are unaffected.

[1] - https://lists.apache.org/thread/yprngr9cmp9c43m1c56thv1v0v6y5ywq
[2] - https://lists.apache.org/thread/hc9shwlm1kmxdxosbh3qo2xooqoo3sc6

On Mon, Feb 3, 2025 at 6:19 PM Paulo Motta <paulo () apache org> wrote:
> Severity: moderate
>
> Affected versions:
>
> - Apache Cassandra 3.0.0 through 3.0.30
> - Apache Cassandra 3.1.0 through 3.11.17
> - Apache Cassandra 4.0.0 through 4.0.15
> - Apache Cassandra 4.1.0 through 4.1.7
> - Apache Cassandra 5.0.0 through 5.0.2
>
> Description:
>
> Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL 
> KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system 
> resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access 
> rules for potential breaches.
>
> This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.
>
> Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
>
> This issue was reported by Adam Pond, Ali Mirheidari, Terry Thibault, and Will Brattain of Apple Services Engineering 
> Security.
>
> References:
>
> https://cassandra.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2025-23015