CVE-2025-26511

描述

**Summary / Details** Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges. **Affected Versions** - Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 - versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x. **Required Configuration for Exploit** These are the conditions required to enable exploit: 1. Cassandra 4.x 2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use 3. Data added to tables 4. Lucene index created 5. Cassandra flush has run **Mitigation/Prevention** Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met. **Solution** Upgrade to a fixed version of the Cassandra-Lucene-Index plugin. Review users in Cassandra to validate all superuser privileges.

如何修補 CVE-2025-26511

要修補 CVE-2025-26511,請將受影響套件升級到下列已修補版本。

—升級至 4.0.17-1.0.0 或更新版本

CVE-2025-26511 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 4.0-rc1-1.0.0, < 4.0.17-1.0.0

CVSS 分數

描述

如何修補 CVE-2025-26511

CVE-2025-26511 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(5)