Cassandra tema reports:
This release contains 6 security fixes including
CVE-2022-24823: When Netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory
CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | cassandra3 | < 3.11.14 | UNKNOWN |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004