[
https://issues.apache.org/jira/browse/CASSANDRA-20671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953325#comment-17953325
]
Michael Semb Wever edited comment on CASSANDRA-20671 at 5/22/25 6:19 AM:
-------------------------------------------------------------------------
For the project's triaged false-positives please see either
https://github.com/apache/cassandra/blob/cassandra-5.0/.snyk or
https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml
was (Author: michaelsembwever):
For the project's triaged false-positive please see either
https://github.com/apache/cassandra/blob/cassandra-5.0/.snyk or
https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml
> Cassandra 5.0.2. snakeyaml-1.26 . The package org.yaml:snakeyaml from 0 and
> before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested
> depth limitation for collections.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-20671
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20671
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Kapil Shewate
> Priority: Normal
>
> h2. CVE-2022-25857
> The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to
> Denial of Service (DoS) due missing to nested depth limitation for
> collections.
>
> Also below CVE's are reported.
> CVE-2022-38749
> CVE-2022-38750
> CVE-2022-38751
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
