[
https://issues.apache.org/jira/browse/KAFKA-20767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chia-Ping Tsai resolved KAFKA-20767.
------------------------------------
Fix Version/s: 4.4.0
4.2.2
4.3.2
Resolution: Fixed
> [CVE-2026-54513] , [CVE-2026-54512] [jackson-databind] [2.21.2]
> ---------------------------------------------------------------
>
> Key: KAFKA-20767
> URL: https://issues.apache.org/jira/browse/KAFKA-20767
> Project: Kafka
> Issue Type: Bug
> Reporter: Krishna Chidrawar
> Priority: Critical
> Fix For: 4.4.0, 4.2.2, 4.3.2
>
>
> h5. [CVE-2026-54513]:
> jackson-databind contains the general-purpose data-binding functionality and
> tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and
> 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()
> allowlists any array type based only on clazz.isArray(), without validating
> the array's component (element) type against the configured allowlist. A PTV
> built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist
> therefore still permits EvilType[] even though EvilType is not allowlisted.
> When Jackson deserializes the elements and no per-element type IDs are
> present, it instantiates the component type directly with no further PTV
> check, bypassing the allowlist. This vulnerability is fixed in 2.18.8,
> 2.21.4, and 3.1.4.
> [https://nvd.nist.gov/vuln/detail/CVE-2026-54513]
> h5. [CVE-2026-54512] :
> jackson-databind contains the general-purpose data-binding functionality and
> tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and
> 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary
> safety mechanism guarding polymorphic deserialization. When polymorphic
> typing is enabled and a type identifier contains generic parameters (i.e. the
> type ID string contains <), DatabindContext._resolveAndValidateGeneric()
> validates only the raw container class name (the substring before <) against
> the configured PTV. If the container type is approved, the method parses the
> full canonical type string via TypeFactory.constructFromCanonical() and
> returns the fully parameterized type without ever validating the nested type
> arguments against the PTV. The nested type arguments are then resolved,
> instantiated, and populated as beans during deserialization. An attacker who
> controls the type ID can therefore place a denied class as a generic type
> parameter of an allowed container — for example
> java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is
> allow-listed. The container passes the PTV check; com.evil.Gadget is loaded
> via Class.forName(name, true, loader), instantiated, and its properties are
> set from attacker-controlled JSON. This completely bypasses an explicitly
> configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and
> 3.1.4.
> https://nvd.nist.gov/vuln/detail/CVE-2026-54512
--
This message was sent by Atlassian Jira
(v8.20.10#820010)