[ https://issues.apache.org/jira/browse/CASSANDRA-17556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523872#comment-17523872 ]
Ekaterina Dimitrova edited comment on CASSANDRA-17556 at 4/18/22 7:40 PM: -------------------------------------------------------------------------- Thanks [~cowtowncoder], the CVE will be covered by those versions, the question was whether again we might run into changes in those areas we use Jackson that can affect our performance while fixing security bugs. (Referring back to issues like the one we hit in CASSANDRA-16851) Any changes we might want to know/consider? was (Author: e.dimitrova): Thanks [~cowtowncoder], the CVE will be covered by those versions, the question was whether again we might run into changes in those areas we use i that can affect our performance while fixing security bugs. (Referring back to issues like the one we hit in CASSANDRA-16851) Any changes we might want to know/consider? > jackson-databind 2.13.2 is vulnerable to CVE-2020-36518 > ------------------------------------------------------- > > Key: CASSANDRA-17556 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17556 > Project: Cassandra > Issue Type: Bug > Components: Build > Reporter: Brandon Williams > Assignee: Brandon Williams > Priority: Normal > Fix For: 3.11.x, 4.0.x, 4.x > > > Seems like it's technically possible to cause a DoS with nested json. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org