[
https://issues.apache.org/jira/browse/CASSANDRA-17556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523872#comment-17523872
]
Ekaterina Dimitrova edited comment on CASSANDRA-17556 at 4/18/22 7:40 PM:
--------------------------------------------------------------------------
Thanks [~cowtowncoder], the CVE will be covered by those versions, the
question was whether again we might run into changes in those areas we use
Jackson that can affect our performance while fixing security bugs. (Referring
back to issues like the one we hit in CASSANDRA-16851)
Any changes we might want to know/consider?
was (Author: e.dimitrova):
Thanks [~cowtowncoder], the CVE will be covered by those versions, the
question was whether again we might run into changes in those areas we use i
that can affect our performance while fixing security bugs. (Referring back to
issues like the one we hit in CASSANDRA-16851)
Any changes we might want to know/consider?
> jackson-databind 2.13.2 is vulnerable to CVE-2020-36518
> -------------------------------------------------------
>
> Key: CASSANDRA-17556
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17556
> Project: Cassandra
> Issue Type: Bug
> Components: Build
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.11.x, 4.0.x, 4.x
>
>
> Seems like it's technically possible to cause a DoS with nested json.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
