[jira] [Commented] (CASSANDRA-18081) CVE's in Cassandra 4.0.7

Stefan Miklosovic (Jira) Wed, 30 Nov 2022 03:58:09 -0800


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641256#comment-17641256
 ]


Stefan Miklosovic commented on CASSANDRA-18081:
-----------------------------------------------

For example this

[https://nvd.nist.gov/vuln/detail/CVE-2020-11612]

I do not think we are using "ZlibDecoders" in Cassandra, (I might be wrong 
though).

 [https://nvd.nist.gov/vuln/detail/CVE-2022-25857] 

What is the attack vector here?

[https://nvd.nist.gov/vuln/detail/CVE-2022-42004]

again I do not think we use this

[https://nvd.nist.gov/vuln/detail/CVE-2022-42003]

I do not think we use "UNWRAP_SINGLE_VALUE_ARRAYS" feature which enables this 
attack.

> CVE's in Cassandra 4.0.7
> ------------------------
>
>                 Key: CASSANDRA-18081
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18081
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Gaurav Gupta
>            Priority: Normal
>
> Below CVE's are available in Latest Cassandra version.
> CVE-2022-42004,CVE-2022-25857,CVE-2020-11612,CVE-2022-42003
> Above CVE's are part of component maven:org.yaml:snakeyaml, 
> maven:io.netty:netty-all, maven:com.fasterxml.jackson.core:jackson-databind



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18081) CVE's in Cassandra 4.0.7

Reply via email to