CVE-2015-0225

The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.

Published Bysecalert@redhat.com

Published DateApr 03, 2015, 14:59

Affected Versions(2)

org.apache.cassandra:apache-cassandra(Maven)

Introduced1.2.0

Fixed2.0.14

LimitN/A

org.apache.cassandra:apache-cassandra(Maven)

Introduced2.1.0

Fixed2.1.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.cassandra:apache-cassandra(Maven)	1.2.0	2.0.14	N/A
org.apache.cassandra:apache-cassandra(Maven)	2.1.0	2.1.4	N/A

Weakness Type (CWE):CWE-77

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-77

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL