CVE-2021-44521 – org.apache.cassandra:cassandra-all

Package

Manager: maven
Name: org.apache.cassandra:cassandra-all
Vulnerable Version: >=0 <3.0.26 || >=3.11.0 <3.11.12 || >=4.0.0 <4.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.91234 pctl0.9964

Details

Apache Cassandra vulnerable to Code Injection due to unsafe configuration When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Metadata

Created: 2022-02-12T00:00:48Z
Modified: 2022-08-11T19:20:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8ffc-79xg-29w8/GHSA-8ffc-79xg-29w8.json
CWE IDs: ["CWE-732", "CWE-94"]
Alternative ID: GHSA-8ffc-79xg-29w8
Finding: F422
Auto approve: 1