[jira] [Commented] (CASSANDRA-17966) jackson-databind vulnerability CVE-2022-42003 CVE-2022-42004

Thu, 21 Nov 2024 00:27:39 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899959#comment-17899959
 ] 

Kapil Shewate commented on CASSANDRA-17966:
-------------------------------------------

[~brandon.williams] 

https://issues.apache.org/jira/browse/CASSANDRA-20093 is marked as duplicate of 
CASSANDRA-17966 but the issue is not fixed , we still see the old version 
jackson-databind2.13.2.2 in Cassandra 5.0.2. Could you please let us know if 
there will be a  new version of this jar available in the forthcoming releases 
or is Cassandra not vulnerable to the following CVE's in 
jackson-databind2.13.2.2 .jar

 

CVE-2022-42004 - 7.5
CVE-2023-35116 - 4.7

> jackson-databind vulnerability CVE-2022-42003 CVE-2022-42004
> ------------------------------------------------------------
>
>                 Key: CASSANDRA-17966
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17966
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.11.14, 4.0.7, 4.1-rc1, 5.0-alpha1, 5.0
>
>
> As the summary says, jackson-databind 2.13.2.2 which was upgraded for a 
> vulnerability in CASSANDRA-17556 is vulnerable again.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to