High severityNVD Advisory· Published May 30, 2023· Updated Oct 9, 2024
Apache Cassandra: Privilege escalation when enabling FQL/Audit logs
CVE-2023-30601
Description
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.
WORKAROUND The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.
MITIGATION Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | >= 4.1.0, < 4.1.2 | 4.1.2 |
org.apache.cassandra:cassandra-allMaven | >= 4.0.0, < 4.0.10 | 4.0.10 |
Affected products
4- osv-coords3 versions
< 1.0.80-r0+ 2 more
- (no CPE)range: < 1.0.80-r0
- (no CPE)range: >= 4.0.0, < 4.0.10
- (no CPE)range: >= 4.1.0, < 4.1.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-m9p2-j4hg-g373ghsaADVISORY
- lists.apache.org/thread/f74p9jdhmmp7vtrqd8lgm8bq3dhxl8vnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-30601ghsaADVISORY
- github.com/apache/cassandra/commit/22d74c711658507addfd67e2c78b04a9b88413b2ghsaWEB
- github.com/apache/cassandra/commit/aafb4d19448f12ce600dc4e84a5b181308825b32ghsaWEB
- issues.apache.org/jira/browse/CASSANDRA-18550ghsaWEB
News mentions
0No linked articles in our index yet.