Details
-
Task
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Semantic
-
Normal
-
All
-
None
-
Description
Apache cassandra uses 1.26 version of snakeyaml dependency and there are several vulnerabilities in this version that can be fixed by upgrading to 2.x version. I understand that this is not security issue as cassandra already uses SafeConstructor and is not a vulnerability under OWASP, so there are no plans to fix it as per CASSANDRA-18122
Cassandra as a open source used and distributed by many enterprise customers and also when downloading cassandra as tar and using it external scanners are not aware of the implementation of SafeConstructor have no idea if it's vulnerable or not.
Can we consider upgrading the version to 2.x in the next releases as snakeyaml is not something that has a large dependency between the major and minor versions. I am happy to open a PR for this. Please let me know your thoughts on this.
Attachments
Issue Links
- links to
