[ https://issues.apache.org/jira/browse/CASSANDRA-18081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641256#comment-17641256 ]
Stefan Miklosovic commented on CASSANDRA-18081: ----------------------------------------------- For example this [https://nvd.nist.gov/vuln/detail/CVE-2020-11612] I do not think we are using "ZlibDecoders" in Cassandra, (I might be wrong though). [https://nvd.nist.gov/vuln/detail/CVE-2022-25857] What is the attack vector here? [https://nvd.nist.gov/vuln/detail/CVE-2022-42004] again I do not think we use this [https://nvd.nist.gov/vuln/detail/CVE-2022-42003] I do not think we use "UNWRAP_SINGLE_VALUE_ARRAYS" feature which enables this attack. > CVE's in Cassandra 4.0.7 > ------------------------ > > Key: CASSANDRA-18081 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18081 > Project: Cassandra > Issue Type: Bug > Reporter: Gaurav Gupta > Priority: Normal > > Below CVE's are available in Latest Cassandra version. > CVE-2022-42004,CVE-2022-25857,CVE-2020-11612,CVE-2022-42003 > Above CVE's are part of component maven:org.yaml:snakeyaml, > maven:io.netty:netty-all, maven:com.fasterxml.jackson.core:jackson-databind -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org