CVE-2021-44521

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*

History

09 Aug 2022, 00:39

Type Values Removed Values Added
CWE CWE-94 CWE-732

29 Mar 2022, 16:08

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220225-0001/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220225-0001/ - Third Party Advisory

25 Feb 2022, 10:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220225-0001/ -

18 Feb 2022, 01:28

Type Values Removed Values Added
CPE cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
References (MISC) https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/ - (MISC) https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/ - Exploit, Mitigation, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/4 - (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/4 - Mailing List, Third Party Advisory
References (MISC) https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356 - (MISC) https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356 - Issue Tracking, Mailing List, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 8.5
v3 : 9.1
CWE CWE-94

16 Feb 2022, 18:15

Type Values Removed Values Added
References
  • (MISC) https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/ -

11 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/4 -

11 Feb 2022, 13:53

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-11 13:15

Updated : 2024-02-04 22:29


NVD link : CVE-2021-44521

Mitre link : CVE-2021-44521

CVE.ORG link : CVE-2021-44521


JSON object : View

Products Affected

apache

  • cassandra
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-94

Improper Control of Generation of Code ('Code Injection')