spring-boot-starter-data-cassandra-reactive depends on CVE-2020-13946 native-protocol-1.5.0.jar

Question

Small question regarding a SpringBoot project please.

Currently with version 2.6.x, I am developing a very small web application storing data inside Cassandra.

Unfortunately, it seems from the dependency tree, it is carrying a vulnerable dependency:

native-protocol-1.5.0.jar (pkg:maven/com.datastax.oss/native-protocol@1.5.0, cpe:2.3:a:apache:cassandra:1.5.0:::::::*) : CVE-2020-13946

This is further confirmed with many static analysis scans, such as SonarQube, Black Duck, OWASP dependency etc...

It seems this is due to a dependency from Datastax team.

However, there are no public repos to raise a PR or an issue.

May I ask what should I do in order to fix this vulnerability please?

Thank you

Answer 1

It looks like a false positive to me with native-protocol 1.5.0 incorrectly being considered to be part of Apache Cassandra 1.5.

If you want some assurances from the maintainers, native-protocol is on GitHub as is Datastax's Java Driver for Cassandra which depends upon native-protocol.

Answer 2

CVE-2020-13946 has no relevance on the Spring framework or the native protocol JAR since the vulnerability only exists if both of these conditions are true:

1. You are running an old version of Cassandra.
2. The JMX port is exposed to public access.

The vulnerability is from 2020 and if you look at the details on sites like Mitre or NVD, you'll see that in only applies to:

... all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2 ...

The vulnerability doesn't exist in the supported versions of Cassandra. Cheers!