CVE-2025-24860— Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions

Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

N/A

授权机制不正确

Apache Cassandra 安全漏洞

Apache Cassandra是美国阿帕奇（Apache）基金会的一个分布式Nosql数据库。 Apache Cassandra存在安全漏洞，该漏洞源于包含一个不正确的授权漏洞，允许用户访问他们在使用CassandraNetworkAuthorizer或CassandraCIDRAuthorizer时应该无法访问的数据中心或IP/CIDR组。

N/A

N/A