[
https://issues.apache.org/jira/browse/HBASE-30282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HBASE-30282:
-----------------------------------
Labels: pull-request-available (was: )
> [hbase-thirdparty] Bump jackson-jaxrs-json-provider to 2.21.4
>
> ------------------------------------------------------------------------------------------------------
>
> Key: HBASE-30282
> URL: https://issues.apache.org/jira/browse/HBASE-30282
> Project: HBase
> Issue Type: Task
> Components: security, thirdparty
> Affects Versions: thirdparty-4.1.14
> Reporter: Xavier Fernandis
> Assignee: Xavier Fernandis
> Priority: Major
> Labels: pull-request-available
>
> Upgrade jackson-jaxrs-json-provider from 2.21.1 to 2.21.4 to pull in security
> fixes for jackson-databind.
> - CVE-2026-54512 (HIGH, CVSS 8.1) — PolymorphicTypeValidator bypass via
> generic type parameters,
> potentially enabling RCE
>
> - CVE-2026-54513 (HIGH, CVSS 8.1) — allowIfSubTypeIsArray PTV bypass via
> unvalidated array component
> types, potentially enabling RCE
>
> - CVE-2026-54514 (MEDIUM, CVSS 5.3) — SSRF via eager DNS resolution during
> InetSocketAddress
> deserialization
>
> - CVE-2026-54516 (MEDIUM, CVSS 5.3) — @JsonIgnore bypass via renamed setter
> and private field
> inference
>
> - CVE-2026-54517 (MEDIUM, CVSS 5.3) — @JsonView bypass for setterless
> creator properties
> - CVE-2026-54518 (MEDIUM, CVSS 6.5) — @JsonView bypass for unwrapped
> creator parameters
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)