[jira] [Updated] (CASSANDRA-18150) Prefer snakeyaml's SafeConstructor over Constructor

Berenguer Blasi (Jira) Mon, 23 Jan 2023 21:38:11 -0800


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-18150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Berenguer Blasi updated CASSANDRA-18150:
----------------------------------------
    Status: Review In Progress  (was: Patch Available)

> Prefer snakeyaml's SafeConstructor over Constructor
> ---------------------------------------------------
>
>                 Key: CASSANDRA-18150
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18150
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Config
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 4.x
>
>
> CVE-2022-1471 allows RCE through the Constructor class.  While this isn't a 
> concern since yaml is only used for configuration, it is simple enough to 
> switch to SafeConstructor and harden the server a little more.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Updated] (CASSANDRA-18150) Prefer snakeyaml's SafeConstructor over Constructor

Reply via email to