[ 
https://issues.apache.org/jira/browse/KAFKA-20773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mickael Maison resolved KAFKA-20773.
------------------------------------
    Fix Version/s: 4.4.0
                   4.2.2
                   4.3.2
       Resolution: Fixed

> [CVE-2026-54515][jackson-databind]
> ----------------------------------
>
>                 Key: KAFKA-20773
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20773
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 4.3.0, 4.1.2, 4.2.1
>            Reporter: Krishna Chidrawar
>            Assignee: Federico Valeri
>            Priority: Major
>             Fix For: 4.4.0, 4.2.2, 4.3.2
>
>
> Description : jackson-databind contains the general-purpose data-binding 
> functionality and tree-model for Jackson Data Processor. From 2.8.0 until 
> 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), 
> per-property @JsonIgnoreProperties exclusions are applied by 
> _handleByNameInclusion(), producing a contextual deserializer whose 
> BeanPropertyMap has the ignored properties removed. The subsequent 
> per-property case-insensitivity block (triggered by 
> @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from 
> this._beanProperties (the original, unfiltered map) instead of 
> contextual._beanProperties, then overwrites the filtered map — restoring 
> every property _handleByNameInclusion had just removed. The ignored property 
> becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 
> 3.1.4.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-54515]
> Fix Version :  2.18.9, 2.21.5, and 3.1.4.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to