[
https://issues.apache.org/jira/browse/CASSANDRA-18630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737836#comment-17737836
] Brandon Williams commented on CASSANDRA-18630: ---------------------------------------------- Reading through the issue [here|https://github.com/FasterXML/jackson-databind/issues/3972] I don't think we need to worry about this and this probably shouldn't have been a CVE. Patches to suppress: ||Branch||CI|| |[3.0|https://github.com/driftx/cassandra/tree/CASSANDRA-18630-3.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1094/workflows/890d2bff-1c0c-4d92-9c2f-1db6dfcc28fa]| |[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-18630-3.11]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1096/workflows/8be147be-3cba-4912-8786-522c19feb623]| |[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-18630-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1092/workflows/361235e2-b54c-470f-bf00-4b5bcb631d7c], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1092/workflows/2eb95096-fede-4f7d-9c1b-adffe161ad74]| |[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-18630-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1093/workflows/bb1b1b46-9738-4b74-bcc7-c2fefeb7f737], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1093/workflows/6de7df6f-9b5f-4ec1-94ef-d3357d9604df]| |[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-18630-trunk]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1095/workflows/6114e2e3-8dcc-4bb0-b664-ae7d82c3349f], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1095/workflows/d1b2651a-4428-4473-a120-ec655ecfd8c9]| > jackson-databind-2.13.2.2.jar vulnerability: CVE-2023-35116 > ----------------------------------------------------------- > > Key: CASSANDRA-18630 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18630 > Project: Cassandra > Issue Type: Bug > Components: Dependencies > Reporter: Brandon Williams > Assignee: Brandon Williams > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.x > > > https://nvd.nist.gov/vuln/detail/CVE-2023-35116 > {noformat} > An issue was discovered jackson-databind thru 2.15.2 allows attackers to > cause a denial of service or other unspecified impacts via crafted object > that uses cyclic dependencies. NOTE: the vendor's perspective is that the > product is not intended for use with untrusted input. > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
