[
https://issues.apache.org/jira/browse/ZOOKEEPER-5064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirti Prajapat updated ZOOKEEPER-5064:
--------------------------------------
Description:
Our security scanning detects the following CVEs in the currently used jackson
2.18.1 jars bundled with ZooKeeper:
{code:java}
jackson-core (jackson-core-2.18.1.jar)
- GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async
Parser leading to potential DoS
Fixed in: 2.18.6, 2.21.1
Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
{code:java}
jackson-databind (jackson-databind-2.18.1.jar)
- CVE-2026-54512 (HIGH) — Arbitrary code execution via PolymorphicTypeValidator
bypass
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54512
- CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54513
- CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54514
- CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified
Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
{code}
This single property controls all jackson-databind and transitive jackson-core
versions across the project.
Version 2.18.8 is the minimum 2.18.x release that resolves 4 vulnerabilities
listed above.
was:
Our security scanning detects the following CVEs in the currently used jackson
2.18.1 jars bundled with ZooKeeper:
{code:java}
jackson-core (jackson-core-2.18.1.jar)
- GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async
Parser leading to potential DoS
Fixed in: 2.18.6, 2.21.1
Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
{code:java}
jackson-databind (jackson-databind-2.18.1.jar)
- CVE-2026-54512 (HIGH) — Arbitrary code execution via PolymorphicTypeValidator
bypass
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54512
- CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54513
- CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution
Fixed in: 2.18.8, 2.21.4, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54514
- CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified
Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4
Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
{code}
This single property controls all jackson-databind and transitive jackson-core
versions across the project.
Version 2.18.9 is the minimum 2.18.x release that resolves all five
vulnerabilities listed above.
> Upgrade jackson to fix CVE-2026-54512, CVE-2026-54513, CVE-2026-54514,
> CVE-2026-54515, GHSA-72hv-8253-57qq
> ----------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-5064
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5064
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Affects Versions: 3.9.5
> Reporter: Kirti Prajapat
> Priority: Major
> Labels: cve
>
> Our security scanning detects the following CVEs in the currently used
> jackson 2.18.1 jars bundled with ZooKeeper:
> {code:java}
> jackson-core (jackson-core-2.18.1.jar)
> - GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async
> Parser leading to potential DoS
> Fixed in: 2.18.6, 2.21.1
> Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
>
> {code:java}
> jackson-databind (jackson-databind-2.18.1.jar)
> - CVE-2026-54512 (HIGH) — Arbitrary code execution via
> PolymorphicTypeValidator bypass
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54512
> - CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54513
> - CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54514
> - CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified
> Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
> {code}
>
> This single property controls all jackson-databind and transitive
> jackson-core versions across the project.
> Version 2.18.8 is the minimum 2.18.x release that resolves 4 vulnerabilities
> listed above.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)