[
https://issues.apache.org/jira/browse/CASSANDRA-18149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899968#comment-17899968
]
Stefan Miklosovic edited comment on CASSANDRA-18149 at 11/21/24 8:54 AM:
-------------------------------------------------------------------------
[~Kaps_11]
Brandon wrote:
_CVE-2022-1471: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 RCE through the
Constructor() class. It is recommended to use the SafeConstructor() class
instead. I've created CASSANDRA-18150 to handle that._
I think this is fixed and the respective CVE is not exploitable in Cassandra
anymore. Do you understand it differently?
It is not about whether you see old version or not. It is about whether the CVE
is exploitable in the library version we use.
was (Author: smiklosovic):
[~Kaps_11]
Brandon wrote:
_CVE-2022-1471: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 RCE through the
Constructor() class. It is recommended to use the SafeConstructor() class
instead. I've created CASSANDRA-18150 to handle that._
I think this is fixed and the respective CVE is not exploitable in Cassandra
anymore. Do you understand it differently?
> snakeyaml vulnerabilities: CVE-2021-4235, CVE-2022-1471, CVE-2022-3064
> ----------------------------------------------------------------------
>
> Key: CASSANDRA-18149
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18149
> Project: Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.29, 3.11.15, 4.0.8, 4.1.1, 5.0-alpha1, 5.0
>
>
> The OWASP scan is reporting these for both snakeyaml-1.11 and snakeyaml-1.26.
> These are similar to CASSANDRA-17907 in that they require access to the yaml
> to have any effect.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
