[ https://issues.apache.org/jira/browse/CASSANDRA-18150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-18150: ----------------------------------------- Fix Version/s: 3.0.29 3.11.15 4.0.8 4.1.1 4.2 (was: 3.0.x) (was: 4.x) (was: 3.11.x) (was: 4.0.x) (was: 4.1.x) Source Control Link: https://github.com/apache/cassandra/commit/e7f55ab8c3bd6bac4c87354afec231d7237c35b8 Resolution: Fixed Status: Resolved (was: Ready to Commit) > Prefer snakeyaml's SafeConstructor over Constructor > --------------------------------------------------- > > Key: CASSANDRA-18150 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18150 > Project: Cassandra > Issue Type: Improvement > Components: Local/Config > Reporter: Brandon Williams > Assignee: Brandon Williams > Priority: Normal > Fix For: 3.0.29, 3.11.15, 4.0.8, 4.1.1, 4.2 > > > CVE-2022-1471 allows RCE through the Constructor class. While this isn't a > concern since yaml is only used for configuration, it is simple enough to > switch to SafeConstructor and harden the server a little more. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org