High-Severity RCE Bug Found in Popular Apache Cassandra Database

Researchers have shared details about a now-patched, high-severity security bug in the Apache Cassandra open-source NoSQL distributed database that’s easy to exploit and, if left unpatched, could enable attackers to gain remote code execution RCE. The bug, which involves how Cassandra creates...

CVE-2021-44521

A flaw was found in Cassandra that allows users with certain permissions to execute user-defined functions to create scripts and run remote code execution. This flaw allows an attacker to gain unwanted access and also execute actions against Cassandra...

GHSA-8FFC-79XG-29W8 Apache Cassandra vulnerable to Code Injection due to unsafe configuration

When running Apache Cassandra with the following configuration: enableuserdefinedfunctions: true enablescripteduserdefinedfunctions: true enableuserdefinedfunctionsthreads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissio...

Apache Cassandra vulnerable to Code Injection due to unsafe configuration

When running Apache Cassandra with the following configuration: enableuserdefinedfunctions: true enablescripteduserdefinedfunctions: true enableuserdefinedfunctionsthreads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissio...

CVE-2021-44521

When running Apache Cassandra with the following configuration: enableuserdefinedfunctions: true enablescripteduserdefinedfunctions: true enableuserdefinedfunctionsthreads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissio...

CVE-2021-44521

CVE-2021-44521 affects Apache Cassandra when enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: false. The documented unsafe configuration can allow an attacker with cluster-level permissions to create user-defined functio...

CVE-2021-44521 Remote code execution for scripted UDFs

When running Apache Cassandra with the following configuration: enableuserdefinedfunctions: true enablescripteduserdefinedfunctions: true enableuserdefinedfunctionsthreads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissio...

PT-2022-2317 · Apache · Apache Cassandra

Name of the Vulnerable Software and Affected Versions: Apache Cassandra versions prior to 3.0.26 Apache Cassandra versions prior to 3.11.12 Apache Cassandra versions prior to 4.0.2 Description: The issue is related to the incorrect management of code generation in Apache Cassandra, which can allo...

cassandra3 -- arbitrary code execution

Marcus Eriksson reports: When running Apache Cassandra with the following configuration: enableuserdefinedfunctions: true enablescripteduserdefinedfunctions: true enableuserdefinedfunctionsthreads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need...

CVE-2022-22939

VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or...

The vulnerability of the emergency recovery function of the Cisco SD-WAN vManage centralized system allows a intruder to gain unauthorized access to the device.

The vulnerability of the emergency recovery function of the Cisco SD-WAN vManage centralized system management platform is related to insufficient protection of registration data. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to the...

The vulnerability of the web interface of Cisco SD-WAN microprogramming software allows a hacker to obtain confidential information.

The vulnerability of the web interface of Cisco SD-WAN microprogramming software exists due to insufficient validation of input data. Exploiting this vulnerability can allow a malicious actor, operating remotely, to obtain confidential information through a specially crafted HTTP request...

Moderate: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVS...

The vulnerability of the CLI component of Cisco SD-WAN microprogramming software allows a hacker to execute arbitrary commands with root user privileges.

The vulnerability of the CLI component of Cisco SD-WAN software microprogramming systems exists due to insufficient validation of input data. Exploiting this vulnerability could allow an attacker to execute arbitrary commands with root user privileges...

The vulnerability of the SD-WAN system “Bohatka,” related to lack of access control, allows a hacker to execute any arbitrary code on the system’s server.

The vulnerability of the SD-WAN system “Bohatka” is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to execute arbitrary code on the system’s server, after successful authentication via WebSocket...

The vulnerability of the command-line interface (CLI) of Cisco SD-WAN microprogramming software allows a hacker to escalate their privileges and re-record arbitrary files.

The vulnerability of the command-line interface CLI of Cisco SD-WAN microprogramming software is related to insufficient verification of the commands executed. Exploiting this vulnerability can allow an attacker to enhance their privileges and re-record arbitrary files...

CVE-2021-37915

An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdbdebugserver variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined...

CVE-2021-37915

An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdbdebugserver variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined...

CVE-2021-41145

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH...

CVE-2021-41135

The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includ...