Xavier Fernandis created HBASE-30282:
----------------------------------------

             Summary: [hbase-thirdparty] Bump jackson-jaxrs-json-provider to 
2.21.4                                         
                 Key: HBASE-30282
                 URL: https://issues.apache.org/jira/browse/HBASE-30282
             Project: HBase
          Issue Type: Task
          Components: security, thirdparty
    Affects Versions: thirdparty-4.1.14
            Reporter: Xavier Fernandis
            Assignee: Xavier Fernandis


Upgrade jackson-jaxrs-json-provider from 2.21.1 to 2.21.4 to pull in security 
fixes for             jackson-databind. 

- CVE-2026-54512 (HIGH, CVSS 8.1) — PolymorphicTypeValidator bypass via generic 
type parameters,      
  potentially enabling RCE                                                      
                        
  - CVE-2026-54513 (HIGH, CVSS 8.1) — allowIfSubTypeIsArray PTV bypass via 
unvalidated array component  
  types, potentially enabling RCE                                               
                        
  - CVE-2026-54514 (MEDIUM, CVSS 5.3) — SSRF via eager DNS resolution during 
InetSocketAddress          
  deserialization                                                               
                        
  - CVE-2026-54516 (MEDIUM, CVSS 5.3) — @JsonIgnore bypass via renamed setter 
and private field
  inference                                                                     
                        
  - CVE-2026-54517 (MEDIUM, CVSS 5.3) — @JsonView bypass for setterless creator 
properties
  - CVE-2026-54518 (MEDIUM, CVSS 6.5) — @JsonView bypass for unwrapped creator 
parameters  

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to