[ https://issues.apache.org/jira/browse/CASSANDRA-15828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178864#comment-17178864 ]
Mark Denihan commented on CASSANDRA-15828: ------------------------------------------ [~c3-keveker] I was wondering if this could be classified as a false positive but it does look like the org.codehaus.jackson:jackson-mapper-asl:1.9.2 dependency is utilized in a number of functions in the following versions; 2.2.17 src\java\org\apache\cassandra\cql3\Json.java src\java\org\apache\cassandra\tools\SSTableExport.java src\java\org\apache\cassandra\tools\SSTableImport.java src\java\org\apache\cassandra\utils\FBUtilities.java 3.0.21 src\java\org\apache\cassandra\cql3\Json.java src\java\org\apache\cassandra\utils\FBUtilities.java 3.11.6 src\java\org\apache\cassandra\cql3\Json.java src\java\org\apache\cassandra\utils\FBUtilities.java 3.11.7 No use of org.codehaus.jackson:jackson-mapper-asl Considering CVE-2019-10172 has poor information as to what classes are vulnerable in org.codehaus.jackson:jackson-mapper-asl we must assume that if the version of Cassandra uses the library, it is vulnerable. So as far as I can see has been fixed in the latest version of 3.11.7. Is there any way that fix will be back ported to other versions? > Remove jackson-mapper-asl-1.9.13 to address CVE > ----------------------------------------------- > > Key: CASSANDRA-15828 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15828 > Project: Cassandra > Issue Type: Improvement > Reporter: Kevin Eveker > Priority: Normal > > Recent scan results identified the following CVE that require this upgrade to > address > [https://nvd.nist.gov/vuln/detail/CVE-2019-10172] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org