SCA: security update for org.apache.cassandra:cassandra-all (GHSA-8ffc-79xg-29w8)

critical Tenable Cloud Security Plugin ID 412624

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- When running Apache Cassandra with the following configuration: enable_user_defined_functions: true
enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible
for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions
to create user defined functions in the cluster to be able to exploit this. Note that this configuration
is documented as unsafe, and will continue to be considered unsafe after this CVE. (CVE-2021-44521)

See Also

https://github.com/advisories/GHSA-8ffc-79xg-29w8

Plugin Details

Severity: Critical

ID: 412624

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.51

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-44521

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/12/2022

Vulnerability Publication Date: 2/11/2022

Reference Information

CVE: CVE-2021-44521