Kirti Prajapat created ZOOKEEPER-5064:
-----------------------------------------
Summary: Upgrade jackson to fix CVE-2026-54512, CVE-2026-54513,
CVE-2026-54514, CVE-2026-54515, GHSA-72hv-8253-57qq
Key: ZOOKEEPER-5064
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5064
Project: ZooKeeper
Issue Type: Task
Components: security
Affects Versions: 3.9.5
Reporter: Kirti Prajapat
Our security scanning detects the following CVEs in the currently used jackson
2.18.1 jars bundled with ZooKeeper:
{code:java}
jackson-core (jackson-core-2.18.1.jar)
- GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async
Parser leading to potential DoS
Fixed in: 2.18.6, 2.21.1
Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
{code:java}
jackson-databind (jackson-databind-2.18.1.jar)
- CVE-2026-54512 (HIGH) — Arbitrary code execution via PolymorphicTypeValidator
bypass
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54512
- CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54513
- CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54514
- CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified
Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
{code}
This single property controls all jackson-databind and transitive jackson-core
versions across the project.
Version 2.18.9 is the minimum 2.18.x release that resolves all five
vulnerabilities listed above.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)