[
https://issues.apache.org/jira/browse/CASSANDRA-18150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678213#comment-17678213
]
Brandon Williams commented on CASSANDRA-18150:
----------------------------------------------
Looking into the breakage, I realized jmxtool doesn't _accept_ yaml, so there
is no need to patch it. I've backed that out so now the patches are the same
as my initial post, and the CI there should be accurate.
> Prefer snakeyaml's SafeConstructor over Constructor
> ---------------------------------------------------
>
> Key: CASSANDRA-18150
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18150
> Project: Cassandra
> Issue Type: Improvement
> Components: Local/Config
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 4.x
>
>
> CVE-2022-1471 allows RCE through the Constructor class. While this isn't a
> concern since yaml is only used for configuration, it is simple enough to
> switch to SafeConstructor and harden the server a little more.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
