Spring vulnerability
Closed this issue · 1 comments
akki-reddy commented
Is cassandra-reaper vulnerable to "Vmware Spring: CVE-2022-22965: Spring Framework RCE via Data Binding" CVE?
adejanovski commented
cassandra-reaper is based on top of Dropwizard, it doesn't use Spring.
One of our dependencies, the migration library uses Spring IIRC, but looking at the CVE the app has to be packaged as a WAR, which isn't the case, and it has to use spring-webmvc or spring-webflux, which isn't the case either.
We're good then.