What is CVE-2021-44521?

CVE-2021-44521 is a vulnerability in Apache Software Foundation Cassandra, classified under Code Injection. Published 2022-02-11.

Is CVE-2021-44521 known to be exploited?

24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Apache Software Foundation Cassandra

CVE-2021-44521

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitra…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.910 (99.7th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Cassandra — versions 3.0.0, unspecified, 3.1

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

References

lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356 (x_refsource_MISC)
[oss-security] 20220211 CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs (mailing-list, x_refsource_MLIST)
jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-function… (x_refsource_MISC)
security.netapp.com/advisory/ntap-20220225-0001/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2021-44521?: CVE-2021-44521 is a vulnerability in Apache Software Foundation Cassandra, classified under Code Injection. Published 2022-02-11.
Is CVE-2021-44521 known to be exploited?: 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.