CVE-2025-26511 – com.instaclustr:cassandra-lucene-index-plugin

Package

Manager: maven
Name: com.instaclustr:cassandra-lucene-index-plugin
Vulnerable Version: >=4.0-rc1-1.0.0 <4.0.17-1.0.0 || >=4.1.0-1.0.0 <4.1.8-1.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00028 pctl0.0643

Details

Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC **Summary / Details** Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges. **Affected Versions** - Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 - versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x. **Required Configuration for Exploit** These are the conditions required to enable exploit: 1. Cassandra 4.x 2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use 3. Data added to tables 4. Lucene index created 5. Cassandra flush has run **Mitigation/Prevention** Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met. **Solution** Upgrade to a fixed version of the Cassandra-Lucene-Index plugin. Review users in Cassandra to validate all superuser privileges.

Metadata

Created: 2025-02-13T17:16:27Z
Modified: 2025-02-14T00:32:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-mrqp-q7vx-v2cx/GHSA-mrqp-q7vx-v2cx.json
CWE IDs: ["CWE-288", "CWE-863"]
Alternative ID: GHSA-mrqp-q7vx-v2cx
Finding: F115
Auto approve: 1