CVE Vulnerability

CVE-2021-44521

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

8.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.1 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356 Issue Tracking Mailing List
http://www.openwall.com/lists/oss-security/2022/02/11/4 Mailing List Third Party Advisory
https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/ Exploit Mitigation
https://security.netapp.com/advisory/ntap-20220225-0001/ Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Information

Published : 2022-02-11 01:15

Updated : 2022-08-09 12:39

NVD link : CVE-2021-44521

Mitre link : CVE-2021-44521

Products Affected
No products.
CWE
CWE-732