CVE-2026-40974 - Medium - CVE-2026-40974: Cassandra SSL auto-configuration disables TLS hostname verification
Spring
·
2026-04-23
·
via Spring Security Advisories
Description Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.13 3.4.0 - 3.4.15 3.3.0 - 3.3.18 2.7.0 - 2.7.32 Versions that are no longer supported are also affected. Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 4.0.x 4.0.6 OSS 3.5.x 3.5.14 OSS 3.4.x 3.4.16 Enterprise Support Only 3.3.x 3.3.19 Enterprise Support Only 2.7.x 2.7.33 Enterprise Support Only No further mitigation steps are necessary. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L&version=3.1 History 2026-04-23: Initial vulnerability report published.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。