[ 
https://issues.apache.org/jira/browse/HBASE-30282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HBASE-30282:
-----------------------------------
    Labels: pull-request-available  (was: )

> [hbase-thirdparty] Bump jackson-jaxrs-json-provider to 2.21.4                 
>                         
> ------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-30282
>                 URL: https://issues.apache.org/jira/browse/HBASE-30282
>             Project: HBase
>          Issue Type: Task
>          Components: security, thirdparty
>    Affects Versions: thirdparty-4.1.14
>            Reporter: Xavier Fernandis
>            Assignee: Xavier Fernandis
>            Priority: Major
>              Labels: pull-request-available
>
> Upgrade jackson-jaxrs-json-provider from 2.21.1 to 2.21.4 to pull in security 
> fixes for             jackson-databind. 
> - CVE-2026-54512 (HIGH, CVSS 8.1) — PolymorphicTypeValidator bypass via 
> generic type parameters,      
>   potentially enabling RCE                                                    
>                           
>   - CVE-2026-54513 (HIGH, CVSS 8.1) — allowIfSubTypeIsArray PTV bypass via 
> unvalidated array component  
>   types, potentially enabling RCE                                             
>                           
>   - CVE-2026-54514 (MEDIUM, CVSS 5.3) — SSRF via eager DNS resolution during 
> InetSocketAddress          
>   deserialization                                                             
>                           
>   - CVE-2026-54516 (MEDIUM, CVSS 5.3) — @JsonIgnore bypass via renamed setter 
> and private field
>   inference                                                                   
>                           
>   - CVE-2026-54517 (MEDIUM, CVSS 5.3) — @JsonView bypass for setterless 
> creator properties
>   - CVE-2026-54518 (MEDIUM, CVSS 6.5) — @JsonView bypass for unwrapped 
> creator parameters  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to