Skip to content

Commit 32079d4

Browse files
Merge pull request #631 from IABTechLab/syw-UID2-7364-upgrade-jackson-databind
UID2-7364: Upgrade jackson-databind 2.14.2 -> 2.19.0 (CVE-2026-54512 / CVE-2026-54513)
2 parents a58a07d + f4392a3 commit 32079d4

2 files changed

Lines changed: 11 additions & 1 deletion

File tree

.trivyignore

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,8 @@
55
# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
66
# See: UID2-6670
77
GHSA-72hv-8253-57qq exp:2026-09-01
8+
9+
# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
10+
# See: UID2-7364
11+
CVE-2026-54512 exp:2026-07-25
12+
CVE-2026-54513 exp:2026-07-25

pom.xml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -206,10 +206,15 @@
206206
<artifactId>cbor</artifactId>
207207
<version>0.9</version>
208208
</dependency>
209+
<dependency>
210+
<groupId>com.fasterxml.jackson.core</groupId>
211+
<artifactId>jackson-core</artifactId>
212+
<version>2.19.0</version>
213+
</dependency>
209214
<dependency>
210215
<groupId>com.fasterxml.jackson.core</groupId>
211216
<artifactId>jackson-databind</artifactId>
212-
<version>2.14.2</version>
217+
<version>2.19.0</version>
213218
</dependency>
214219
<dependency>
215220
<groupId>org.projectlombok</groupId>

0 commit comments

Comments
 (0)