Skip to content

Commit 5ad2229

Browse files
Merge pull request #633 from IABTechLab/syw-UID2-7364-revert-jackson-upgrade
UID2-7364: Revert jackson-databind to 2.14.2 (downstream breakage)
2 parents 8e4046b + 5251b24 commit 5ad2229

2 files changed

Lines changed: 4 additions & 7 deletions

File tree

.trivyignore

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,9 @@
66
# See: UID2-6670
77
GHSA-72hv-8253-57qq exp:2026-09-01
88

9-
# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
9+
# jackson-databind polymorphic deserialization bypass - not exploitable, uid2-shared does not enable polymorphic
10+
# typing (no @JsonTypeInfo, enableDefaultTyping, or PolymorphicTypeValidator usage). No upstream fix released yet
11+
# (fix targets: 2.18.8, 2.21.4, 3.1.4; latest available: 2.18.4).
1012
# See: UID2-7364
1113
CVE-2026-54512 exp:2026-07-25
1214
CVE-2026-54513 exp:2026-07-25

pom.xml

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -206,15 +206,10 @@
206206
<artifactId>cbor</artifactId>
207207
<version>0.9</version>
208208
</dependency>
209-
<dependency>
210-
<groupId>com.fasterxml.jackson.core</groupId>
211-
<artifactId>jackson-core</artifactId>
212-
<version>2.19.0</version>
213-
</dependency>
214209
<dependency>
215210
<groupId>com.fasterxml.jackson.core</groupId>
216211
<artifactId>jackson-databind</artifactId>
217-
<version>2.19.0</version>
212+
<version>2.14.2</version>
218213
</dependency>
219214
<dependency>
220215
<groupId>org.projectlombok</groupId>

0 commit comments

Comments
 (0)