Skip to content

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-core, com.fasterxml.jackson.core:jackson-databind #4057

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/maven/0-1783381685
Open

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-core, com.fasterxml.jackson.core:jackson-databind #4057
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/maven/0-1783381685

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • . (maven)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
com.fasterxml.jackson.core:jackson-databind 2.20.1 2.22.0 minor Direct 2 HIGH, 2 MEDIUM
com.fasterxml.jackson.core:jackson-core 2.20.1 2.22.0 minor Direct 1 MEDIUM

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
com.fasterxml.jackson.core:jackson-databind GHSA-j3rv-43j4-c7qm HIGH jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation 2.20.1 2.18.8 -
com.fasterxml.jackson.core:jackson-databind GHSA-rmj7-2vxq-3g9f HIGH jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) 2.20.1 2.18.8 -
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In Case
com.fasterxml.jackson.core:jackson-core GHSA-72hv-8253-57qq MODERATE jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition 2.20.1 2.21.1 -
com.fasterxml.jackson.core:jackson-databind GHSA-5jmj-h7xm-6q6v MODERATE jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties 2.20.1 - -
com.fasterxml.jackson.core:jackson-databind GHSA-hgj6-7826-r7m5 MODERATE jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) 2.20.1 2.18.8 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
com.fasterxml.jackson.core:jackson-core 2.20.1 - 2.22.0 pom.xml
com.fasterxml.jackson.core:jackson-databind 2.20.1 - 2.22.0 pom.xml

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@dd-prapprover-prod-77c48c

dd-prapprover-prod-77c48c Bot commented Jul 7, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-07-07T13:24:49Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants