[
https://issues.apache.org/jira/browse/CASSANDRA-18081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641386#comment-17641386
]
Brandon Williams commented on CASSANDRA-18081:
----------------------------------------------
These:
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
are [already
suppressed|https://github.com/apache/cassandra/blob/cassandra-4.0/.build/dependency-check-suppressions.xml]
so I'm not going to look. That leaves:
https://nvd.nist.gov/vuln/detail/CVE-2020-11612
which I don't think we use, but also doesn't show up in the OWASP scan so I'm
not concerned.
What does show in the scan however is:
https://nvd.nist.gov/vuln/detail/CVE-2022-41854
Which looks like another snakeyaml local DOS we can suppress and I've created
CASSANDRA-18083 to handle.
> CVE's in Cassandra 4.0.7
> ------------------------
>
> Key: CASSANDRA-18081
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18081
> Project: Cassandra
> Issue Type: Bug
> Reporter: Gaurav Gupta
> Priority: Normal
>
> Below CVE's are available in Latest Cassandra version.
> CVE-2022-42004,CVE-2022-25857,CVE-2020-11612,CVE-2022-42003
> Above CVE's are part of component maven:org.yaml:snakeyaml,
> maven:io.netty:netty-all, maven:com.fasterxml.jackson.core:jackson-databind
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
