Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/264657?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/264657?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.1", "type": "maven", "namespace": "org.apache.cassandra", "name": "cassandra-all", "version": "4.0.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.0.20", "latest_non_vulnerable_version": "5.0.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63354?format=api", "vulnerability_id": "VCID-9255-jdmq-q3ge", "summary": "Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32588.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32588.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32588", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21878", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21939", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21925", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32588" }, { "reference_url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:43:30Z/" } ], "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32588", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32588" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/07/9", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/07/9" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456105", "reference_id": "2456105", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456105" }, { "reference_url": "https://github.com/advisories/GHSA-qffm-gf3j-6mvg", "reference_id": "GHSA-qffm-gf3j-6mvg", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qffm-gf3j-6mvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110578?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/111000?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.1.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/110114?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@5.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@5.0.7" } ], "aliases": [ "CVE-2026-32588", "GHSA-qffm-gf3j-6mvg" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9255-jdmq-q3ge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45305?format=api", "vulnerability_id": "VCID-e1dm-7a5s-y3c9", "summary": "Improper Privilege Management\nPrivilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra\nThis issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.\n\nWORKAROUND\nThe vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.\n\nMITIGATION\nUpgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30601", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06054", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06057", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0607", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30601" }, { "reference_url": "https://github.com/apache/cassandra", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra" }, { "reference_url": "https://github.com/apache/cassandra/commit/22d74c711658507addfd67e2c78b04a9b88413b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra/commit/22d74c711658507addfd67e2c78b04a9b88413b2" }, { "reference_url": "https://github.com/apache/cassandra/commit/aafb4d19448f12ce600dc4e84a5b181308825b32", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra/commit/aafb4d19448f12ce600dc4e84a5b181308825b32" }, { "reference_url": "https://issues.apache.org/jira/browse/CASSANDRA-18550", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/CASSANDRA-18550" }, { "reference_url": "https://lists.apache.org/thread/f74p9jdhmmp7vtrqd8lgm8bq3dhxl8vn", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-09T20:47:35Z/" } ], "url": "https://lists.apache.org/thread/f74p9jdhmmp7vtrqd8lgm8bq3dhxl8vn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30601", "reference_id": "CVE-2023-30601", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30601" }, { "reference_url": "https://github.com/advisories/GHSA-m9p2-j4hg-g373", "reference_id": "GHSA-m9p2-j4hg-g373", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m9p2-j4hg-g373" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65287?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" }, { "vulnerability": "VCID-kp2h-v585-9kc2" }, { "vulnerability": "VCID-nm1w-nh18-a3f4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/65288?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" }, { "vulnerability": "VCID-nm1w-nh18-a3f4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.1.2" } ], "aliases": [ "CVE-2023-30601", "GHSA-m9p2-j4hg-g373" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e1dm-7a5s-y3c9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89406?format=api", "vulnerability_id": "VCID-kp2h-v585-9kc2", "summary": "Apache Cassandra has sensitive Information Leak in cqlsh\nSensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access.\n\nUsers are recommended to upgrade to version 4.0.20, which fixes this issue.\n\n--\nDescription: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user's home directory.\n\nHowever, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27315", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02857", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02812", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02866", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27315" }, { "reference_url": "https://github.com/apache/cassandra", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra" }, { "reference_url": "https://issues.apache.org/jira/browse/CASSANDRA-21180", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:37:35Z/" } ], "url": "https://issues.apache.org/jira/browse/CASSANDRA-21180" }, { "reference_url": "https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:37:35Z/" } ], "url": "https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27315", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27315" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/04/07/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/04/07/8" }, { "reference_url": "https://github.com/advisories/GHSA-fh34-c629-p8xj", "reference_id": "GHSA-fh34-c629-p8xj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fh34-c629-p8xj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110578?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.20" } ], "aliases": [ "CVE-2026-27315", "GHSA-fh34-c629-p8xj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kp2h-v585-9kc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56574?format=api", "vulnerability_id": "VCID-nm1w-nh18-a3f4", "summary": "Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions\nIncorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.\n\nUsers with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.\n\nThis issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.\n\nOperators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24860.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24860.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00163", "scoring_system": "epss", "scoring_elements": "0.36995", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00163", "scoring_system": "epss", "scoring_elements": "0.37021", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00163", "scoring_system": "epss", "scoring_elements": "0.37028", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24860" }, { "reference_url": "https://github.com/apache/cassandra", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra" }, { "reference_url": "https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T19:43:54Z/" } ], "url": "https://lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2d" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20250214-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20250214-0005" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/02/03/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/02/03/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343726", "reference_id": "2343726", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343726" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24860", "reference_id": "CVE-2025-24860", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24860" }, { "reference_url": "https://github.com/advisories/GHSA-3cjf-fwcq-xh22", "reference_id": "GHSA-3cjf-fwcq-xh22", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3cjf-fwcq-xh22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84002?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" }, { "vulnerability": "VCID-kp2h-v585-9kc2" }, { "vulnerability": "VCID-q1n6-k6kb-xqc5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/84003?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.1.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.1.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/84004?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@5.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6a5t-qng2-6ffz" }, { "vulnerability": "VCID-9255-jdmq-q3ge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@5.0.3" } ], "aliases": [ "CVE-2025-24860", "GHSA-3cjf-fwcq-xh22" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nm1w-nh18-a3f4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42385?format=api", "vulnerability_id": "VCID-p871-2mvt-6kg4", "summary": "Improper Control of Generation of Code ('Code Injection')\nWhen running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44521.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44521.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44521", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.91007", "scoring_system": "epss", "scoring_elements": "0.99653", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44521" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/apache/cassandra", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/cassandra" }, { "reference_url": "https://issues.apache.org/jira/browse/CASSANDRA-17352", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/CASSANDRA-17352" }, { "reference_url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution" }, { "reference_url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220225-0001", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20220225-0001" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220225-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20220225-0001/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/02/11/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/4" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053774", "reference_id": "2053774", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053774" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44521", "reference_id": "CVE-2021-44521", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44521" }, { "reference_url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/", "reference_id": "CVE-2021-44521-EXPLOITING-APACHE-CASSANDRA-USER-DEFINED-FUNCTIONS-FOR-REMOTE-CODE-EXECUTION", "reference_type": "", "scores": [], "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/" }, { "reference_url": "https://github.com/advisories/GHSA-8ffc-79xg-29w8", "reference_id": "GHSA-8ffc-79xg-29w8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8ffc-79xg-29w8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60623?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" }, { "vulnerability": "VCID-e1dm-7a5s-y3c9" }, { "vulnerability": "VCID-kp2h-v585-9kc2" }, { "vulnerability": "VCID-nm1w-nh18-a3f4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.2" } ], "aliases": [ "CVE-2021-44521", "GHSA-8ffc-79xg-29w8" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p871-2mvt-6kg4" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53020?format=api", "vulnerability_id": "VCID-p9uv-x9xt-z3g7", "summary": "Exposure of Resource to Wrong Sphere\nIn Apache Cassandra, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13946.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13946.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13946", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00287", "scoring_system": "epss", "scoring_elements": "0.52484", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00287", "scoring_system": "epss", "scoring_elements": "0.52435", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00287", "scoring_system": "epss", "scoring_elements": "0.52495", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00287", "scoring_system": "epss", "scoring_elements": "0.52503", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13946" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc@%3Cuser.cassandra.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc@%3Cuser.cassandra.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210521-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20210521-0005" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210521-0005/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20210521-0005/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875830", "reference_id": "1875830", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875830" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13946", "reference_id": "CVE-2020-13946", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13946" }, { "reference_url": "https://github.com/advisories/GHSA-24ww-mc5x-xc43", "reference_id": "GHSA-24ww-mc5x-xc43", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-24ww-mc5x-xc43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:0811", "reference_id": "RHSA-2021:0811", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:0811" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/142561?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@2.1.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p9uv-x9xt-z3g7" }, { "vulnerability": "VCID-pegc-kvnz-m7b5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@2.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/78004?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@2.1.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pegc-kvnz-m7b5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@2.1.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/78005?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@2.2.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pegc-kvnz-m7b5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@2.2.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/78006?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@3.0.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p871-2mvt-6kg4" }, { "vulnerability": "VCID-pegc-kvnz-m7b5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@3.0.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/78007?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@3.11.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p871-2mvt-6kg4" }, { "vulnerability": "VCID-pegc-kvnz-m7b5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@3.11.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/142568?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0-beta2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nm1w-nh18-a3f4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0-beta2" }, { "url": "http://public2.vulnerablecode.io/api/packages/264657?format=api", "purl": "pkg:maven/org.apache.cassandra/cassandra-all@4.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9255-jdmq-q3ge" }, { "vulnerability": "VCID-e1dm-7a5s-y3c9" }, { "vulnerability": "VCID-kp2h-v585-9kc2" }, { "vulnerability": "VCID-nm1w-nh18-a3f4" }, { "vulnerability": "VCID-p871-2mvt-6kg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.1" } ], "aliases": [ "CVE-2020-13946", "GHSA-24ww-mc5x-xc43" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9uv-x9xt-z3g7" } ], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cassandra/cassandra-all@4.0.1" }