coltonfreeman26
commented
1 year ago Good day all, I figured I would add here instead of open a new issue. We are using cassandra-reaper:3.3.3 and there are a few more CVEs found with our scan tools (Anchore and Twistlock) in regards to jetty-9.4.49.v20220914
CVE-2023-36479 CVE-2023-40167 CVE-2023-41900 CVE-2023-44487
Please let me know if you have any questions.
jeetnal01
Project board link
We are using cassandra-reaper version 3.3.1 in our product. Recently we did Blackduck security scan and following issue was reported for reaper.
Component name - Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server Component version name - 9.4.49.v20220914 CVE - CVE-2023-26048 (BDSA-2023-0887) CVE-2023-26049 (BDSA-2023-0888)
CVSS - 5.3 (Medium)
Please confirm if version 3.3.1 is vulnerable for these CVE ? if yes, in which version the fix would be available ?
┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: REAP-40