[ https://issues.apache.org/jira/browse/CASSANDRA-18943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17777318#comment-17777318 ]
Brandon Williams commented on CASSANDRA-18943: ---------------------------------------------- This affects netty and the driver, with variance between branches. Here's what dependency-check looks like: {quote} 3.0: fail Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0': netty-all-4.0.44.Final.jar: CVE-2023-44487 See the dependency-check report for more details. Total time: 3 minutes 45 seconds 3.11: fail Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0': netty-all-4.0.44.Final.jar: CVE-2023-44487 See the dependency-check report for more details. Total time: 3 minutes 57 seconds 4.0: fail Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0': netty-all-4.1.58.Final.jar: CVE-2023-4586, CVE-2023-44487 See the dependency-check report for more details. Total time: 3 minutes 55 seconds 4.1: fail Dependency-Check Failure: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0': netty-all-4.1.58.Final.jar: CVE-2023-4586, CVE-2023-44487 See the dependency-check report for more details. Total time: 4 minutes 22 seconds 5.0: fail cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml: CVE-2023-4586, CVE-2023-44487 cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml: CVE-2023-4586, CVE-2023-44487 netty-transport-4.1.96.Final.jar: CVE-2023-4586, CVE-2023-44487 See the dependency-check report for more details. Total time: 3 minutes 39 seconds trunk: fail cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml: CVE-2023-4586, CVE-2023-44487 cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml: CVE-2023-4586, CVE-2023-44487 netty-transport-4.1.96.Final.jar: CVE-2023-4586, CVE-2023-44487 {quote} > http/2 vulnerability: CVE-2023-44487 > ------------------------------------ > > Key: CASSANDRA-18943 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18943 > Project: Cassandra > Issue Type: Bug > Components: Dependencies > Reporter: Brandon Williams > Assignee: Brandon Williams > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x > > > https://nvd.nist.gov/vuln/detail/CVE-2023-44487 > Basically anything using http/2 is covered by this, but we don't use it. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org