[ https://issues.apache.org/jira/browse/CASSANDRA-18340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713033#comment-17713033 ]
Brandon Williams commented on CASSANDRA-18340: ---------------------------------------------- We already use SafeConstructor: CASSANDRA-18150 If there is desire to upgrade snakeyaml, I suggest creating a new ticket without all this CVE noise that is already solved. > Bump snakeyaml from 1.26 to 2.0 > ------------------------------- > > Key: CASSANDRA-18340 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18340 > Project: Cassandra > Issue Type: New Feature > Reporter: Bipin Prasad > Assignee: Bipin Prasad > Priority: Normal > Time Spent: 0.5h > Remaining Estimate: 0h > > snakeyaml 1.26 has CVEs. Bump version for snakeyaml from 1.26 to 2.0 > To see the CVEs, goto > [https://mvnrepository.com/artifact/org.apache.cassandra/cassandra-all/4.1.0] > and seach for [org.yaml|https://mvnrepository.com/artifact/org.yaml] » > [snakeyaml|https://mvnrepository.com/artifact/org.yaml/snakeyaml] under > compile dependencies.Vulnerabilites are listed thusly: > > Direct vulnerabilities: > [CVE-2022-41854|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854] > [CVE-2022-38752|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752] > [CVE-2022-38751|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38751] > [View 4 more ...|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > Vulnerabilities from dependencies: > [CVE-2022-22971|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22971] > [CVE-2022-22970|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970] > [CVE-2022-22968|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22968] > ............. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org