Vulnerabilities > Apache > Cassandra

DATE CVE VULNERABILITY TITLE RISK
2023-05-30 CVE-2023-30601 Unspecified vulnerability in Apache Cassandra
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users. MITIGATION Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.
local
low complexity
apache
7.8
2022-02-11 CVE-2021-44521 Incorrect Permission Assignment for Critical Resource vulnerability in Apache Cassandra
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host.
network
low complexity
apache CWE-732
critical
9.1
2021-02-03 CVE-2020-17516 Authentication Bypass by Spoofing vulnerability in Apache Cassandra
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections.
network
low complexity
apache CWE-290
7.5
2020-09-01 CVE-2020-13946 Exposure of Resource to Wrong Sphere vulnerability in multiple products
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface.
network
high complexity
apache netapp CWE-668
5.9
2019-04-23 CVE-2019-2684 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI).
network
high complexity
oracle redhat opensuse debian apache canonical hp
5.9
2018-06-28 CVE-2018-8016 Missing Authentication for Critical Function vulnerability in Apache Cassandra
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
network
low complexity
apache CWE-306
critical
9.8
2017-04-13 CVE-2016-4970 Infinite Loop vulnerability in multiple products
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
network
low complexity
netty redhat apache CWE-835
7.5
2016-04-21 CVE-2016-3427 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
network
low complexity
oracle canonical debian netapp apache redhat suse opensuse
critical
9.8