CWE-267
AllowedPrivilege Defined With Unsafe Actions
Abstraction: Base · Status: Incomplete
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
102 vulnerabilities reference this CWE, most recent first.
GHSA-P976-H52C-26P6
Vulnerability from github – Published: 2023-06-06 02:00 – Updated: 2024-09-16 15:07Impact
A vulnerability has been identified which enables Standard users or above to elevate their permissions to Administrator in the local cluster.
The local cluster means the cluster where Rancher is installed. It is named local inside the list of clusters in the Rancher UI.
Standard users could leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster.
Users that have custom global roles which grant create and delete permissions on secrets would also be able to exploit this vulnerability.
Users with audit logs enabled in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data filter by kind: Secret with type: provisioning.cattle.io/cloud-credential, then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with Opaque Secrets within the cattle-global-data namespace.
After patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.
Patches
Patched versions include releases 2.6.13, 2.7.4 and later versions.
Workarounds
There is no direct mitigation besides updating Rancher to a patched version.
For more information
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22647"
],
"database_specific": {
"cwe_ids": [
"CWE-267",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T02:00:28Z",
"nvd_published_at": "2023-06-01T13:15:10Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA vulnerability has been identified which enables [Standard users](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) or above to elevate their permissions to Administrator in the `local` cluster.\n\nThe `local` cluster means the cluster where Rancher is installed. It is named `local` inside the list of clusters in the Rancher UI.\n\nStandard users could leverage their existing permissions to manipulate Kubernetes secrets in the `local` cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the `local` cluster.\n\nUsers that have custom global roles which grant `create` and `delete` permissions on `secrets` would also be able to exploit this vulnerability.\n\nUsers with [audit logs enabled](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#enabling-api-audit-log) in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data filter by `kind: Secret` with `type: provisioning.cattle.io/cloud-credential`, then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with `Opaque` Secrets within the `cattle-global-data` namespace.\n\nAfter patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.\n\n### Patches\n\nPatched versions include releases `2.6.13`, `2.7.4` and later versions. \n\n### Workarounds\n\nThere is no direct mitigation besides updating Rancher to a patched version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-p976-h52c-26p6",
"modified": "2024-09-16T15:07:40Z",
"published": "2023-06-06T02:00:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22647"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/rancher"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/releases/tag/v2.6.13"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/releases/tag/v2.7.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Rancher vulnerable to Privilege Escalation via manipulation of Secrets"
}
GHSA-PVQ4-GMPQ-27P3
Vulnerability from github – Published: 2024-09-12 18:31 – Updated: 2024-09-12 18:31A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
{
"affected": [],
"aliases": [
"CVE-2024-8631"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T17:15:06Z",
"severity": "MODERATE"
},
"details": "A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.",
"id": "GHSA-pvq4-gmpq-27p3",
"modified": "2024-09-12T18:31:42Z",
"published": "2024-09-12T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8631"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2478469"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/462665"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q3VC-646J-PRPQ
Vulnerability from github – Published: 2026-02-13 15:30 – Updated: 2026-06-04 09:30Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
{
"affected": [],
"aliases": [
"CVE-2025-14349"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T14:16:09Z",
"severity": "HIGH"
},
"details": "Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk allows Accessing Functionality Not Properly Constrained by ACLs, Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.",
"id": "GHSA-q3vc-646j-prpq",
"modified": "2026-06-04T09:30:34Z",
"published": "2026-02-13T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14349"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0065"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXPC-96FQ-WWMG
Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-08 19:22Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY.
Users are recommended to upgrade to version 5.0.7+, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "5.0-alpha1"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27314"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:22:39Z",
"nvd_published_at": "2026-04-07T17:16:27Z",
"severity": "HIGH"
},
"details": "Privilege escalation\u00a0in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator\u00a0allows a user with only CREATE permission\u00a0to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role\u00a0via ADD IDENTITY.\n\nUsers are recommended to upgrade to version 5.0.7+, which fixes this issue.",
"id": "GHSA-qxpc-96fq-wwmg",
"modified": "2026-04-08T19:22:39Z",
"published": "2026-04-07T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27314"
},
{
"type": "WEB",
"url": "https://github.com/apache/cassandra/commit/b584a435970e5125e1def5148d943c39569dc7af"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/cassandra"
},
{
"type": "WEB",
"url": "https://github.com/apache/cassandra/releases/tag/cassandra-5.0.7"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zrng82ddy4rpsmfyk582v6hqxcqrbz7f"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/07/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator"
}
GHSA-R7H5-5G56-GV3H
Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-07-10 18:31In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
{
"affected": [],
"aliases": [
"CVE-2025-47811"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T17:15:46Z",
"severity": "MODERATE"
},
"details": "In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior \"fine to keep.\"",
"id": "GHSA-r7h5-5g56-gv3h",
"modified": "2025-07-10T18:31:27Z",
"published": "2025-07-10T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47811"
},
{
"type": "WEB",
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812"
},
{
"type": "WEB",
"url": "https://www.wftpserver.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7QM-XV29-CXJ4
Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2023-11-02 03:30When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2023-43746"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T13:15:21Z",
"severity": "HIGH"
},
"details": "\nWhen running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system.\u00a0 A successful exploit can allow the attacker to cross a security boundary.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-r7qm-xv29-cxj4",
"modified": "2023-11-02T03:30:26Z",
"published": "2023-10-10T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43746"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K41072952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RGCR-RWW9-8RR3
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-06-01 18:31An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
{
"affected": [],
"aliases": [
"CVE-2026-6816"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:44Z",
"severity": "MODERATE"
},
"details": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.",
"id": "GHSA-rgcr-rww9-8rr3",
"modified": "2026-06-01T18:31:42Z",
"published": "2026-05-29T00:38:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6816"
},
{
"type": "WEB",
"url": "https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHWM-GX2M-C396
Vulnerability from github – Published: 2023-10-03 09:32 – Updated: 2024-04-04 08:04A flaw within the SonicWall NetExtender Pre-Logon feature enables an unauthorized user to gain access to the host Windows operating system with 'SYSTEM' level privileges, leading to a local privilege escalation (LPE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-44218"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T08:15:36Z",
"severity": "HIGH"
},
"details": "\nA flaw within the SonicWall NetExtender Pre-Logon feature enables an unauthorized user to gain access to the host Windows operating system with \u0027SYSTEM\u0027 level privileges, leading to a local privilege escalation (LPE) vulnerability.\n\n",
"id": "GHSA-rhwm-gx2m-c396",
"modified": "2024-04-04T08:04:15Z",
"published": "2023-10-03T09:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44218"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VGRQ-GX9G-QP3W
Vulnerability from github – Published: 2025-10-21 21:33 – Updated: 2025-10-21 21:33Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2025-62588"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-21T20:20:55Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).",
"id": "GHSA-vgrq-gx9g-qp3w",
"modified": "2025-10-21T21:33:44Z",
"published": "2025-10-21T21:33:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62588"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMCC-9VCH-JMX4
Vulnerability from github – Published: 2025-02-04 12:30 – Updated: 2025-02-18 22:30Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.
This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.
Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "5.0-alpha1"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "4.1-alpha1"
},
{
"fixed": "4.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "4.0-alpha1"
},
{
"fixed": "4.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.11.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23015"
],
"database_specific": {
"cwe_ids": [
"CWE-267"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-04T18:32:00Z",
"nvd_published_at": "2025-02-04T10:15:09Z",
"severity": "HIGH"
},
"details": "Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.\n\nThis issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.\n\nUsers are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.",
"id": "GHSA-wmcc-9vch-jmx4",
"modified": "2025-02-18T22:30:54Z",
"published": "2025-02-04T12:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23015"
},
{
"type": "WEB",
"url": "https://github.com/apache/cassandra/commit/6207a305ba2b0cebc3241e00a843ab5dbf86d2ed"
},
{
"type": "WEB",
"url": "https://github.com/apache/cassandra/commit/f33267c8fae6d71166886efc3e7ddda4114ebeef"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/cassandra"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250214-0006"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/03/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.
CAPEC-634: Probe Audio and Video Peripherals
The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.
CAPEC-637: Collect Data from Clipboard
The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.
CAPEC-643: Identify Shared Files/Directories on System
An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.
CAPEC-648: Collect Data from Screen Capture
An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.