Kirti Prajapat created ZOOKEEPER-5064:
-----------------------------------------

             Summary: Upgrade jackson to fix CVE-2026-54512, CVE-2026-54513, 
CVE-2026-54514, CVE-2026-54515, GHSA-72hv-8253-57qq
                 Key: ZOOKEEPER-5064
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5064
             Project: ZooKeeper
          Issue Type: Task
          Components: security
    Affects Versions: 3.9.5
            Reporter: Kirti Prajapat


Our security scanning detects the following CVEs in the currently used jackson 
2.18.1 jars bundled with ZooKeeper: 
{code:java}
jackson-core (jackson-core-2.18.1.jar) 
- GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async 
Parser leading to potential DoS 
Fixed in: 2.18.6, 2.21.1
Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
 
{code:java}
jackson-databind (jackson-databind-2.18.1.jar) 
- CVE-2026-54512 (HIGH) — Arbitrary code execution via PolymorphicTypeValidator 
bypass 
Fixed in: 2.18.8, 2.21.4, 3.1.4 
Advisory: https://avd.aquasec.com/nvd/cve-2026-54512 
- CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution 
Fixed in: 2.18.8, 2.21.4, 3.1.4 
Advisory: https://avd.aquasec.com/nvd/cve-2026-54513 
- CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution 
Fixed in: 2.18.8, 2.21.4, 3.1.4 
Advisory: https://avd.aquasec.com/nvd/cve-2026-54514 
- CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified 
Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4 
Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
{code}
 

This single property controls all jackson-databind and transitive jackson-core 
versions across the project.
Version 2.18.9 is the minimum 2.18.x release that resolves all five 
vulnerabilities listed above.

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to