[ https://issues.apache.org/jira/browse/CASSANDRA-16738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Gomez updated CASSANDRA-16738: ------------------------------------- Fix Version/s: 3.11.x > Remediate Cassandra 3.11.10 JAR dependency vulnerability - org.yaml_snakeyaml > ----------------------------------------------------------------------------- > > Key: CASSANDRA-16738 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16738 > Project: Cassandra > Issue Type: Improvement > Components: Dependencies > Reporter: Daniel Gomez > Priority: Normal > Fix For: 3.11.x > > > A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities > that have been fixed in newer releases. The following is the Cassandra > 3.11.10 source tree for their JAR dependencies: > [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib] > . > JAR *org.yaml_snakeyaml* version *1.11* has the following vulnerability and > is fixed in version *1.26*. Recommendation is to upgrade to version *2.29* or > greater. > > ||id||cvss||desc||link||packageName||packageVersion||severity||status||vecStr|| > |CVE-2017-18640|7.5|The Alias feature in SnakeYAML 1.18 allows entity > expansion during a load operation, a related issue to > CVE-2003-1564.|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18640|org.yaml_snakeyaml|1.11|high|fixed > in 1.26|CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H| > > A possible fix strategy is to simply update the JAR to their newest version. > * See [https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.29] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org