[ https://issues.apache.org/jira/browse/CASSANDRA-18550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcus Eriksson updated CASSANDRA-18550: ---------------------------------------- Description: The {{--archive-command}} parameter to {code}nodetool enable{audit,fullquery}log{code} allows an attacker to execute arbitrary commands as the user running cassandra. Patch adds a configuration option which disallows using this parameter - for any existing users of --archive-command this can be re-enabled was: The {{--archive-command}} parameter to {{nodetool enable{audit,fullquery}log}} allows an attacker to execute arbitrary commands as the user running cassandra. Patch adds a configuration option which disallows using this parameter - for any existing users of --archive-command this can be re-enabled > Improve nodetool enable{audit,fullquery}log, CVE-2023-30601 > ----------------------------------------------------------- > > Key: CASSANDRA-18550 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18550 > Project: Cassandra > Issue Type: Improvement > Components: Local/Other > Reporter: Marcus Eriksson > Assignee: Marcus Eriksson > Priority: Normal > Fix For: 4.0.10, 4.1.2 > > > The {{--archive-command}} parameter to {code}nodetool > enable{audit,fullquery}log{code} allows an attacker to execute arbitrary > commands as the user running cassandra. > Patch adds a configuration option which disallows using this parameter - for > any existing users of --archive-command this can be re-enabled -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org