Maven package
org.apache.cassandra/cassandra-all
pkg:maven/org.apache.cassandra/cassandra-all
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32588 | Med | 6.5 | >= 4.0, < 4.0.20 | 4.0.20 | Apr 7, 2026 | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. | |
| CVE-2026-27315 | Med | 5.5 | >= 4.0, < 4.0.20 | 4.0.20 | Apr 7, 2026 | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issu | |
| CVE-2026-27314 | Hig | 8.8 | >= 5.0-alpha1, < 5.0.7 | 5.0.7 | Apr 7, 2026 | Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTIT | |
| CVE-2025-26467 | — | >= 4.0.16, < 4.0.17 | 4.0.17 | Aug 25, 2025 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on | ||
| CVE-2024-27137 | — | >= 5.0-beta1, < 5.0.3 | 5.0.3 | Feb 4, 2025 | In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacke | ||
| CVE-2025-24860 | — | >= 4.0-alpha1, < 4.0.16 | 4.0.16 | Feb 4, 2025 | Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permission | ||
| CVE-2025-23015 | — | >= 5.0-alpha1, < 5.0.3 | 5.0.3 | Feb 4, 2025 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on | ||
| CVE-2023-30601 | — | >= 4.1.0, < 4.1.2 | 4.1.2 | May 30, 2023 | Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JM | ||
| CVE-2021-44521 | — | < 3.0.26 | 3.0.26 | Feb 11, 2022 | When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n | ||
| CVE-2020-17516 | — | >= 2.1.0, < 3.0.24 | 3.0.24 | Feb 3, 2021 | Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted | ||
| CVE-2020-13946 | — | >= 2.1.0, < 2.1.12 | 2.1.12 | Sep 1, 2020 | In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user | ||
| CVE-2018-8016 | — | >= 3.8, < 3.11.2 | 3.11.2 | Jun 28, 2018 | The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was |
- affected >= 4.0, < 4.0.20fixed 4.0.20
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
- affected >= 4.0, < 4.0.20fixed 4.0.20
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issu
- affected >= 5.0-alpha1, < 5.0.7fixed 5.0.7
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTIT
- CVE-2025-26467Aug 25, 2025affected >= 4.0.16, < 4.0.17fixed 4.0.17
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on
- CVE-2024-27137Feb 4, 2025affected >= 5.0-beta1, < 5.0.3fixed 5.0.3
In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacke
- CVE-2025-24860Feb 4, 2025affected >= 4.0-alpha1, < 4.0.16fixed 4.0.16
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permission
- CVE-2025-23015Feb 4, 2025affected >= 5.0-alpha1, < 5.0.3fixed 5.0.3
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on
- CVE-2023-30601May 30, 2023affected >= 4.1.0, < 4.1.2fixed 4.1.2
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires nodetool/JM
- CVE-2021-44521Feb 11, 2022affected < 3.0.26fixed 3.0.26
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n
- CVE-2020-17516Feb 3, 2021affected >= 2.1.0, < 3.0.24fixed 3.0.24
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted
- CVE-2020-13946Sep 1, 2020affected >= 2.1.0, < 2.1.12fixed 2.1.12
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user
- CVE-2018-8016Jun 28, 2018affected >= 3.8, < 3.11.2fixed 3.11.2
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was