[
https://issues.apache.org/jira/browse/KAFKA-20773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison resolved KAFKA-20773.
------------------------------------
Fix Version/s: 4.4.0
4.2.2
4.3.2
Resolution: Fixed
> [CVE-2026-54515][jackson-databind]
> ----------------------------------
>
> Key: KAFKA-20773
> URL: https://issues.apache.org/jira/browse/KAFKA-20773
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.3.0, 4.1.2, 4.2.1
> Reporter: Krishna Chidrawar
> Assignee: Federico Valeri
> Priority: Major
> Fix For: 4.4.0, 4.2.2, 4.3.2
>
>
> Description : jackson-databind contains the general-purpose data-binding
> functionality and tree-model for Jackson Data Processor. From 2.8.0 until
> 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(),
> per-property @JsonIgnoreProperties exclusions are applied by
> _handleByNameInclusion(), producing a contextual deserializer whose
> BeanPropertyMap has the ignored properties removed. The subsequent
> per-property case-insensitivity block (triggered by
> @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from
> this._beanProperties (the original, unfiltered map) instead of
> contextual._beanProperties, then overwrites the filtered map — restoring
> every property _handleByNameInclusion had just removed. The ignored property
> becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and
> 3.1.4.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-54515]
> Fix Version : 2.18.9, 2.21.5, and 3.1.4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)