Xavier Fernandis created HBASE-30282:
----------------------------------------
Summary: [hbase-thirdparty] Bump jackson-jaxrs-json-provider to
2.21.4
Key: HBASE-30282
URL: https://issues.apache.org/jira/browse/HBASE-30282
Project: HBase
Issue Type: Task
Components: security, thirdparty
Affects Versions: thirdparty-4.1.14
Reporter: Xavier Fernandis
Assignee: Xavier Fernandis
Upgrade jackson-jaxrs-json-provider from 2.21.1 to 2.21.4 to pull in security
fixes for jackson-databind.
- CVE-2026-54512 (HIGH, CVSS 8.1) — PolymorphicTypeValidator bypass via generic
type parameters,
potentially enabling RCE
- CVE-2026-54513 (HIGH, CVSS 8.1) — allowIfSubTypeIsArray PTV bypass via
unvalidated array component
types, potentially enabling RCE
- CVE-2026-54514 (MEDIUM, CVSS 5.3) — SSRF via eager DNS resolution during
InetSocketAddress
deserialization
- CVE-2026-54516 (MEDIUM, CVSS 5.3) — @JsonIgnore bypass via renamed setter
and private field
inference
- CVE-2026-54517 (MEDIUM, CVSS 5.3) — @JsonView bypass for setterless creator
properties
- CVE-2026-54518 (MEDIUM, CVSS 6.5) — @JsonView bypass for unwrapped creator
parameters
--
This message was sent by Atlassian Jira
(v8.20.10#820010)