Vulnerability Details CVE-2018-8016
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2018-8016
-
cpe:2.3:a:apache:cassandra:3.10
-
cpe:2.3:a:apache:cassandra:3.11.0
-
cpe:2.3:a:apache:cassandra:3.11.1
-
cpe:2.3:a:apache:cassandra:3.8
-
cpe:2.3:a:apache:cassandra:3.9