CVE-2021-44521

CVSS v3.1 9.1 (Critical)

CVSS v2.0 8.5 (High)

EPSS 5.32 % (93^th)

Affected Products 1

Advisories 2

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Weaknesses

CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-94: Improper Control of Generation of Code ('Code Injection')

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2022-02-11 13:15:07
(2 years ago)
Updated Date: 2022-08-09 00:39:07
(2 years ago)

Affected Products

Apache

Cassandra

Configuration #1

	CPE23	From	Up To
Apache Cassandra from 3.0.0 version and prior 3.0.26 version	cpe:2.3:a:apache:cassandra	>= 3.0.0	< 3.0.26
Apache Cassandra from 3.11.0 version and prior 3.11.12 version	cpe:2.3:a:apache:cassandra	>= 3.11.0	< 3.11.12
Apache Cassandra from 4.0.0 version and prior 4.0.2 version	cpe:2.3:a:apache:cassandra	>= 4.0.0	< 4.0.2