[
https://issues.apache.org/jira/browse/CASSANDRA-15828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178864#comment-17178864
]
Mark Denihan commented on CASSANDRA-15828:
------------------------------------------
[~c3-keveker] I was wondering if this could be classified as a false positive
but it does look like the org.codehaus.jackson:jackson-mapper-asl:1.9.2
dependency is utilized in a number of functions in the following versions;
2.2.17
src\java\org\apache\cassandra\cql3\Json.java
src\java\org\apache\cassandra\tools\SSTableExport.java
src\java\org\apache\cassandra\tools\SSTableImport.java
src\java\org\apache\cassandra\utils\FBUtilities.java
3.0.21
src\java\org\apache\cassandra\cql3\Json.java
src\java\org\apache\cassandra\utils\FBUtilities.java
3.11.6
src\java\org\apache\cassandra\cql3\Json.java
src\java\org\apache\cassandra\utils\FBUtilities.java
3.11.7
No use of org.codehaus.jackson:jackson-mapper-asl
Considering CVE-2019-10172 has poor information as to what classes are
vulnerable in org.codehaus.jackson:jackson-mapper-asl we must assume that if
the version of Cassandra uses the library, it is vulnerable. So as far as I can
see has been fixed in the latest version of 3.11.7. Is there any way that fix
will be back ported to other versions?
> Remove jackson-mapper-asl-1.9.13 to address CVE
> -----------------------------------------------
>
> Key: CASSANDRA-15828
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15828
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Kevin Eveker
> Priority: Normal
>
> Recent scan results identified the following CVE that require this upgrade to
> address
> [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
