[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-5064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated ZOOKEEPER-5064:
--------------------------------------
    Labels: cve pull-request-available  (was: cve)

> Upgrade jackson to 2.18.8 to fix CVE-2026-54512, CVE-2026-54513, 
> CVE-2026-54514, CVE-2026-54515, GHSA-72hv-8253-57qq
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-5064
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5064
>             Project: ZooKeeper
>          Issue Type: Task
>          Components: security
>    Affects Versions: 3.9.5
>            Reporter: Kirti Prajapat
>            Priority: Major
>              Labels: cve, pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Our security scanning detects the following CVEs in the currently used 
> jackson 2.18.1 jars bundled with ZooKeeper:
> {code:java}
> jackson-core (jackson-core-2.18.1.jar) 
> - GHSA-72hv-8253-57qq (MEDIUM) — Number Length Constraint Bypass in Async 
> Parser leading to potential DoS 
> Fixed in: 2.18.6, 2.21.1
> Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq{code}
>  
> {code:java}
> jackson-databind (jackson-databind-2.18.1.jar) 
> - CVE-2026-54512 (HIGH) — Arbitrary code execution via 
> PolymorphicTypeValidator bypass 
> Fixed in: 2.18.8, 2.21.4, 3.1.4 
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54512 
> - CVE-2026-54513 (HIGH) — Security bypass allows arbitrary code execution 
> Fixed in: 2.18.8, 2.21.4, 3.1.4 
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54513 
> - CVE-2026-54514 (MEDIUM) — Information Disclosure via Eager DNS Resolution 
> Fixed in: 2.18.8, 2.21.4, 3.1.4 
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54514 
> - CVE-2026-54515 (MEDIUM) — Ignored properties can be unexpectedly modified 
> Fixed in: 2.18.9, 2.21.5, 2.22.1, 3.1.4 
> Advisory: https://avd.aquasec.com/nvd/cve-2026-54515
> {code}
>  
> This single property controls all jackson-databind and transitive 
> jackson-core versions across the project.
> Version 2.18.8 is the minimum 2.18.x release that resolves 4 vulnerabilities 
> listed above.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to