cassandra-5.0.advisories.yaml

schema-version: 2.0.2

package:
  name: cassandra-5.0

advisories:
  - id: CGA-2mmr-v32w-2chv
    aliases:
      - CVE-2022-38750
      - GHSA-hhhw-99gj-p3c3
    events:
      - timestamp: 2024-09-27T12:36:57Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-3gw6-5crj-7ph4
    aliases:
      - CVE-2022-38751
      - GHSA-98wm-3w3q-mw94
    events:
      - timestamp: 2024-09-27T12:36:52Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-4v88-fh58-2mpr
    aliases:
      - CVE-2022-25857
      - GHSA-3mc7-4q67-w48m
    events:
      - timestamp: 2024-09-27T12:36:51Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-c43g-8x54-j827
    aliases:
      - CVE-2022-42003
      - GHSA-jjjh-jjxp-wpff
    events:
      - timestamp: 2024-09-27T12:36:59Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: a846e53c007ae433
            componentName: jackson-databind
            componentVersion: 2.13.2.2
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/jackson-databind-2.13.2.2.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'
      - timestamp: 2024-10-08T19:39:33Z
        type: pending-upstream-fix
        data:
          note: 'jackson-databind 2.13.2.2 was suppressed as a CVE which can be found outlined in this issue here: https://issues.apache.org/jira/browse/CASSANDRA-17966  Though suppressed by the maintainers, the CVE is still valid.'

  - id: CGA-c8jc-9q83-4vwf
    aliases:
      - CVE-2022-1471
      - GHSA-mjmj-j48q-9wg2
    events:
      - timestamp: 2024-09-27T12:37:01Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-g26m-2r5c-xh44
    aliases:
      - CVE-2023-6481
      - GHSA-gm62-rw4g-vrc4
    events:
      - timestamp: 2024-09-27T12:36:55Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: 398399923a902016
            componentName: logback-core
            componentVersion: 1.2.12
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/logback-core-1.2.12.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-h55v-gg7j-gc5v
    aliases:
      - CVE-2022-38752
      - GHSA-9w3m-gqgf-c4p9
    events:
      - timestamp: 2024-09-27T12:36:53Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-jj3r-w482-76m6
    aliases:
      - CVE-2022-41854
      - GHSA-w37g-rhq8-7m4j
    events:
      - timestamp: 2024-09-27T12:37:10Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-jvxx-j7p9-gw4r
    aliases:
      - CVE-2024-47535
      - GHSA-xq3w-v528-46rv
    events:
      - timestamp: 2024-11-13T07:04:48Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0
            componentID: 7d6375c938d09a14
            componentName: netty-common
            componentVersion: 4.1.96.Final
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/netty-common-4.1.96.Final.jar
            scanner: grype

  - id: CGA-jx7r-g27c-g947
    aliases:
      - CVE-2023-6378
      - GHSA-vmq6-5m68-f53m
    events:
      - timestamp: 2024-09-27T12:37:07Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: 8f52a695e1144ff6
            componentName: logback-classic
            componentVersion: 1.2.12
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/logback-classic-1.2.12.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'

  - id: CGA-vmw3-v8q5-r6vx
    aliases:
      - CVE-2022-42004
      - GHSA-rgv9-q543-rqg4
    events:
      - timestamp: 2024-09-27T12:37:04Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: a846e53c007ae433
            componentName: jackson-databind
            componentVersion: 2.13.2.2
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/jackson-databind-2.13.2.2.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'
      - timestamp: 2024-10-08T19:45:37Z
        type: pending-upstream-fix
        data:
          note: 'jackson-databind 2.13.2.2 was suppressed as a CVE which can be found outlined in this issue here: https://issues.apache.org/jira/browse/CASSANDRA-17966  Though suppressed by the maintainers, the CVE is still valid.'

  - id: CGA-vv26-h372-g4hq
    aliases:
      - CVE-2022-38749
      - GHSA-c4r9-r8fh-9vj2
    events:
      - timestamp: 2024-09-27T12:36:54Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cassandra-5.0-compat
            componentID: fc817545bae772a3
            componentName: snakeyaml
            componentVersion: "1.26"
            componentType: java-archive
            componentLocation: /usr/share/java/cassandra/lib/snakeyaml-1.26.jar
            scanner: grype
      - timestamp: 2024-10-07T14:33:42Z
        type: false-positive-determination
        data:
          type: vulnerability-record-analysis-contested
          note: 'CVE considered a false positive by the maintainers: https://github.com/apache/cassandra/blob/cassandra-5.0/.build/owasp/dependency-check-suppressions.xml'