adejanovski
commented
5 months ago cassandra-reaper is based on top of Dropwizard, it doesn't use Spring. One of our dependencies, the migration library uses Spring IIRC, but looking at the CVE the app has to be packaged as a WAR, which isn't the case, and it has to use spring-webmvc or spring-webflux, which isn't the case either. We're good then.
Project board link
Is cassandra-reaper vulnerable to "Vmware Spring: CVE-2022-22965: Spring Framework RCE via Data Binding" CVE?