[jira] [Updated] (CASSANDRA-18150) Prefer snakeyaml's SafeConstructor over Constructor

Brandon Williams (Jira) Tue, 24 Jan 2023 04:41:12 -0800


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-18150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Brandon Williams updated CASSANDRA-18150:
-----------------------------------------
          Fix Version/s: 3.0.29
                         3.11.15
                         4.0.8
                         4.1.1
                         4.2
                             (was: 3.0.x)
                             (was: 4.x)
                             (was: 3.11.x)
                             (was: 4.0.x)
                             (was: 4.1.x)
    Source Control Link: 
https://github.com/apache/cassandra/commit/e7f55ab8c3bd6bac4c87354afec231d7237c35b8
             Resolution: Fixed
                 Status: Resolved  (was: Ready to Commit)

> Prefer snakeyaml's SafeConstructor over Constructor
> ---------------------------------------------------
>
>                 Key: CASSANDRA-18150
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18150
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Config
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.0.29, 3.11.15, 4.0.8, 4.1.1, 4.2
>
>
> CVE-2022-1471 allows RCE through the Constructor class.  While this isn't a 
> concern since yaml is only used for configuration, it is simple enough to 
> switch to SafeConstructor and harden the server a little more.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Updated] (CASSANDRA-18150) Prefer snakeyaml's SafeConstructor over Constructor

Reply via email to