GHSA-mqvw-jfmh-93qq

Source

https://github.com/advisories/GHSA-mqvw-jfmh-93qq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mqvw-jfmh-93qq

Aliases

CVE-2026-40974

Published

2026-04-28T00:31:41Z

Modified

2026-05-06T19:22:15.271154Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification

Details

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

Database specific

{
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:01:23Z",
    "nvd_published_at": "2026-04-28T00:16:24Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.6

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0

Fixed

3.5.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Last affected

3.4.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Last affected

3.3.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.32

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mqvw-jfmh-93qq/GHSA-mqvw-jfmh-93qq.json"