search

thelastpickle / cassandra-reaper

Automated Repair Awesomeness for Apache Cassandra
http://cassandra-reaper.io/
Apache License 2.0
490 stars 218 forks source link

Security vulnerabilities in SnakeYAML In Reaper (CVE-2022-1471) #1334

Closed vchauhan81 closed 4 weeks ago

vchauhan81 commented 1 year ago

Project board link

We are using cassandra-reaper version 3.3.1 in our product. Recently we did Blackduck security scan and following issue was reported for reaper.

Component name - SnakeYAML Component version name - 1.29 CVE - CVE-2022-1471 (BDSA-2022-3447) CVSS - 9.8 (Critical)

Can you please help us to confirm -

if version 3.3.1 is vulnerable for these CVE ? if yes, in which version the fix would be available ?

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: REAP-39

jeetnal01 commented 7 months ago

Can you please help with above query?

adejanovski commented 7 months ago

We're currently working on upgrading our dependencies to fix some CVEs. Note that Reaper isn't vulnerable to this CVE.

jeetnal01 commented 5 months ago

Thanks for the updates. Can you please help know when other CVEs will be fixed and its list?

bschoening commented 4 weeks ago

@adejanovski this looks resolved with https://github.com/thelastpickle/cassandra-reaper/pull/1500/files

adejanovski commented 4 weeks ago

Thanks @bschoening, I'll close the ticket 👍