Bitnami package
cassandra
pkg:bitnami/cassandra
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27315 | Med | 5.5 | >= 4.0.0, < 4.0.20 | 4.0.20 | Apr 7, 2026 | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issu | |
| CVE-2025-26467 | — | >= 4.0.16, < 4.0.17 | 4.0.17 | Aug 25, 2025 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on | ||
| CVE-2024-27137 | — | >= 4.0.2, < 4.0.15 | 4.0.15 | Feb 4, 2025 | In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacke | ||
| CVE-2025-24860 | — | >= 4.0.0, < 4.0.16 | 4.0.16 | Feb 4, 2025 | Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permission | ||
| CVE-2025-23015 | — | >= 3.0.0, < 3.0.31 | 3.0.31 | Feb 4, 2025 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on | ||
| CVE-2023-30601 | — | >= 4.0.0, < 4.0.10 | 4.0.10 | May 30, 2023 | Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JM | ||
| CVE-2021-44521 | — | >= 3.0.0, < 3.0.26 | 3.0.26 | Feb 11, 2022 | When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n | ||
| CVE-2020-17516 | — | >= 2.1.0, < 2.1.23 | 2.1.23 | Feb 3, 2021 | Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted | ||
| CVE-2020-13946 | — | < 2.1.22 | 2.1.22 | Sep 1, 2020 | In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user |
- affected >= 4.0.0, < 4.0.20fixed 4.0.20
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issu
- CVE-2025-26467Aug 25, 2025affected >= 4.0.16, < 4.0.17fixed 4.0.17
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on
- CVE-2024-27137Feb 4, 2025affected >= 4.0.2, < 4.0.15fixed 4.0.15
In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacke
- CVE-2025-24860Feb 4, 2025affected >= 4.0.0, < 4.0.16fixed 4.0.16
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permission
- CVE-2025-23015Feb 4, 2025affected >= 3.0.0, < 3.0.31fixed 3.0.31
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on
- CVE-2023-30601May 30, 2023affected >= 4.0.0, < 4.0.10fixed 4.0.10
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JM
- CVE-2021-44521Feb 11, 2022affected >= 3.0.0, < 3.0.26fixed 3.0.26
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n
- CVE-2020-17516Feb 3, 2021affected >= 2.1.0, < 2.1.23fixed 2.1.23
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
- CVE-2020-13946Sep 1, 2020affected < 2.1.22fixed 2.1.22
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user