Instaclustr Cassandra-Lucene-Index Plugin Privilege Escalation Vulnerability

A vulnerability exists in the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin, specifically in versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, when installed in Apache Cassandra version 4.x. This vulnerability allows authenticated Cassandra users to remotely bypass role-based access control (RBAC), access data they should not, and escalate their privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized data access and privilege escalation for authenticated Cassandra users.

Remediation

Users are advised to upgrade to version 4.0.17-1.0.0 or 4.1.8-1.0.1 of the Cassandra-Lucene-Index plugin. After upgrading, review user privileges in Cassandra to ensure no unauthorized superuser rights have been granted.