Details
-
Improvement
-
Status: Triage Needed
-
Normal
-
Resolution: Unresolved
-
None
-
Operability
-
Low Hanging Fruit
-
All
-
None
Description
A JAR dependency is flagged in Cassandra 3.11.10 as having vulnerabilities that have been fixed in newer releases. The following is the Cassandra 3.11.10 source tree for their JAR dependencies: https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib .
JAR commons-codec_commons-codec version 1.9 has the following vulnerability and is fixed in version 1.13. Recommendation is to upgrade to version 1.15 or greater.
id | cvss | desc | link | packageName | packageVersion | severity | status | vecStr |
---|---|---|---|---|---|---|---|---|
PRISMA-2021-0055 | 0 | Versions <1.13 of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string, the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings. | . | commons-codec_commons-codec | 1.9 | low | fixed in 1.13 | . |
A possible fix strategy is to simply update the JAR to their newest version.
Attachments
Issue Links
- is a clone of
-
CASSANDRA-16734 Remediate Cassandra 3.11.10 JAR dependency vulnerabilities
- Resolved