[CASSANDRA-18150] Prefer snakeyaml's SafeConstructor over Constructor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 3.0.29, 3.11.15, 4.0.8, 4.1.1, 5.0-alpha1, 5.0
Component/s: Local/Config
Labels:
None

Change Category:
Code Clarity
Complexity:
Low Hanging Fruit
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/e7f55ab8c3bd6bac4c87354afec231d7237c35b8
Test and Documentation Plan:

Hide

run CI

Show
run CI

Description

CVE-2022-1471 allows RCE through the Constructor class. While this isn't a concern since yaml is only used for configuration, it is simple enough to switch to SafeConstructor and harden the server a little more.

Attachments

Issue Links

is related to

CASSANDRA-18149 snakeyaml vulnerabilities: CVE-2021-4235, CVE-2022-1471, CVE-2022-3064

Resolved

is required by

CASSANDRA-18149 snakeyaml vulnerabilities: CVE-2021-4235, CVE-2022-1471, CVE-2022-3064

Resolved

Activity

People

Assignee:: Brandon Williams

Reporter:: Brandon Williams

Authors:: Brandon Williams

Reviewers:: Berenguer Blasi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/Jan/23 21:44

Updated:: 12/Sep/23 13:03

Resolved:: 24/Jan/23 12:40