[
https://issues.apache.org/jira/browse/CASSANDRA-18922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774006#comment-17774006
]
Brandon Williams commented on CASSANDRA-18922:
----------------------------------------------
Well this is some kind of mess. Does this CVE number look familiar? That's
because it's the same one on CASSANDRA-18808, which for the longest time did
not have an "official" CVE entry on NIST or MITRE, only the
[sonatype|https://ossindex.sonatype.org/vulnerability/CVE-2023-4586] link for
Netty.
Now, [NIST|https://nvd.nist.gov/vuln/detail/CVE-2023-4586] and
[MITRE|https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4586] both have
entries, but not for Netty, instead for "the Hot Rod client does not enable
hostname validation when using TLS" which is in a similar vein, but
product-specific (for a product we don't use.)
> cassandra-driver-core-3.11.5 vulnerability: CVE-2023-4586
> ---------------------------------------------------------
>
> Key: CASSANDRA-18922
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18922
> Project: Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP: https://nvd.nist.gov/vuln/detail/CVE-2023-4586
> but appears to be a false positive.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
