Daniel Gomez created CASSANDRA-16741: ----------------------------------------
Summary: Remediate Cassandra 3.11.10 JAR dependency vulnerability - com.google.guava_guava Key: CASSANDRA-16741 URL: https://issues.apache.org/jira/browse/CASSANDRA-16741 Project: Cassandra Issue Type: Improvement Components: Dependencies Reporter: Daniel Gomez A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that have been fixed in newer releases. The following is the Cassandra 3.11.10 source tree for their JAR dependencies: [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib] . JAR *ch.qos.logback_logback-core* version *1.1.3* has the following vulnerability and is fixed in version *1.2.0*. Recommendation is to upgrade to version *1.2.3* or greater. ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr|| |CVE-2017-5929|9.8|QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929|ch.qos.logback_logback-core|1.1.3|critical|fixed in 1.2.0|CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| A possible fix strategy is to simply update the JAR to their newest version. * See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org