[
https://issues.apache.org/jira/browse/CASSANDRA-16738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Gomez updated CASSANDRA-16738:
-------------------------------------
Summary: Remediate Cassandra 3.11.10 JAR dependency vulnerability -
org.yaml_snakeyaml (was: Remediate Cassandra 3.11.10 JAR dependency
vulnerability - org.yaml)
> Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.yaml_snakeyaml
> -----------------------------------------------------------------------------
>
> Key: CASSANDRA-16738
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16738
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Daniel Gomez
> Priority: Normal
>
> A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities
> that have been fixed in newer releases. The following is the Cassandra
> 3.11.10 source tree for their JAR dependencies:
> [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
> .
> JAR *org.yaml_snakeyaml* version *1.11* has the following vulnerability and
> is fixed in version *1.26*. Recommendation is to upgrade to version *2.29* or
> greater.
>
> ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr||
> |CVE-2017-18640|7.5|The Alias feature in SnakeYAML 1.18 allows entity
> expansion during a load operation, a related issue to
> CVE-2003-1564.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18640|org.yaml_snakeyaml|1.11|high|fixed
> in 1.26|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
>
> A possible fix strategy is to simply update the JAR to their newest version.
> * See [https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.29]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
