CVE-2015-0225

CWE-77Command InjectionCWE-306Missing Authentication11 documents6 sources
Severity
7.5HIGH
EPSS
0.7%
top 28.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CassandraApache Cassandra
Timeline
PublishedApr 3
Latest updateMay 14

Description

The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

Mavenorg.apache.cassandra:apache-cassandra1.2.02.0.14+1
NVDapache/cassandra38 versions+37
CVEListV5apache_software_foundation/apache_cassandraApache Cassandra 3.8 to 3.11.1

🔴Vulnerability Details

4
GHSA
Improper Neutralization of Special Elements used in a Command in Apache Cassandra2022-05-14
OSV
Improper Neutralization of Special Elements used in a Command in Apache Cassandra2022-05-14
GHSA
Missing Authentication for Critical Function in Apache Cassandra2022-05-13
CVEList
CVE-2015-0225: The default configuration in Apache Cassandra 12015-04-03

📋Vendor Advisories

2
Red Hat
cassandra: Unauthenticated JMX/RMI interface bound to all network interfaces (Regression of CVE-2015-0225)2018-06-26
Red Hat
Cassandra: remote code execution via unauthenticated JMX/RMI interface2015-04-01

💬Community

4
Bugzilla
CVE-2018-8016 cassandra: Unauthenticated JMX/RMI interface bound to all network interfaces (Regression of CVE-2015-0225)2018-06-27
Bugzilla
CVE-2018-8016 cassandra: Unauthenticated JMX/RMI interface bound to all network interfaces (Regression of CVE-2015-0225) [fedora-all]2018-06-27
Bugzilla
CVE-2015-8870 libtiff: Integer overflow in tools/bmp2tiff.c2016-12-08
Bugzilla
CVE-2015-0225 Cassandra: remote code execution via unauthenticated JMX/RMI interface2015-04-01
CVE-2015-0225 (HIGH CVSS 7.5) | The default configuration in Apache | cvebase.io