Incorrect Authorization Vulnerability in Apache Cassandra
CVE-2025-24860

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cassandra
Vendor: CVE Published:; 4 February 2025

Summary

An incorrect authorization issue exists in Apache Cassandra that allows users with restricted data center access to manipulate their permissions via data control language (DCL) statements. This vulnerability affects versions using CassandraNetworkAuthorizer and CassandraCIDRAuthorizer, potentially enabling unauthorized data center access or IP/CIDR group visibility. It is crucial for operators to reassess data access rules and upgrade to patched versions 4.0.16, 4.1.8, or 5.0.3 to mitigate the risk.

Affected Version(s)

Apache Cassandra 4.0.0 <= 4.0.15

Apache Cassandra 4.1.0 <= 4.1.7

Apache Cassandra 5.0.0 <= 5.0.2

References

https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30...

vendor-advisory

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

Stefan Miklosovic