[
https://issues.apache.org/jira/browse/ZOOKEEPER-5064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated ZOOKEEPER-5064:
--------------------------------------
Labels: cve pull-request-available (was: cve)
> Upgrade jackson to 2.18.8 to fix CVE-2026-54512, CVE-2026-54513,
> CVE-2026-54514, CVE-2026-54515, GHSA-72hv-8253-57qq
> --------------------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-5064
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5064
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Affects Versions: 3.9.5
> Reporter: Kirti Prajapat
> Priority: Major
> Labels: cve, pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Our security scanning detects the following CVEs in the currently used
> jackson 2.18.1 jars bundled with ZooKeeper:
> {code:java}
> jackson-core (jackson-core-2.18.1.jar)
> - GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async
> Parser leading to potential DoS
> Fixed in: 2.18.6, 2.21.1
> Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
>
> {code:java}
> jackson-databind (jackson-databind-2.18.1.jar)
> - CVE-2026-54512 (HIGH) — Arbitrary code execution via
> PolymorphicTypeValidator bypass
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54512
> - CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54513
> - CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution
> Fixed in: 2.18.8, 2.21.4, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54514
> - CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified
> Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
> {code}
>
> This single property controls all jackson-databind and transitive
> jackson-core versions across the project.
> Version 2.18.8 is the minimum 2.18.x release that resolves 4 vulnerabilities
> listed above.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)