Skip to content

fix(security): bump jackson-databind to 2.18.8#86

Merged
alexgomezlf merged 4 commits into
2.xfrom
alex/fix-jackson-databind-cve-2026-54512-54513
Jul 15, 2026
Merged

fix(security): bump jackson-databind to 2.18.8#86
alexgomezlf merged 4 commits into
2.xfrom
alex/fix-jackson-databind-cve-2026-54512-54513

Conversation

@alexgomezlf

Copy link
Copy Markdown
Contributor

Bumps the shared jackson-version property from 2.18.2 to 2.18.8 to remediate two Veracode-flagged CVEs in jackson-databind:

  • CVE-2026-54512 — PolymorphicTypeValidator bypass via generic type parameters
  • CVE-2026-54513 — PolymorphicTypeValidator bypass via array component types (allowIfSubTypeIsArray)

Both are fixed upstream in 2.18.8.

Fixes #679083
Fixes #679084

alexgomezlf and others added 4 commits July 8, 2026 14:47
…54512 and CVE-2026-54513

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…tion can post check runs

Default GITHUB_TOKEN permissions are read-only, so EnricoMi/publish-unit-test-result-action
was failing with 403 Resource not accessible by integration on every PR.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…R comment

checks:write alone got the check runs created, but the action's default
comment_mode also posts/updates a PR comment, which needs pull-requests:write.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

unit-test-results

46 tests  ±0   45 ✅ ±0   1s ⏱️ ±0s
 8 suites ±0    1 💤 ±0 
 8 files   ±0    0 ❌ ±0 

Results for commit 725c6a2. ± Comparison against base commit 430b527.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

integration-test-results-cloud

14 tests  ±0   14 ✅ ±0   9s ⏱️ -1s
 2 suites ±0    0 💤 ±0 
 2 files   ±0    0 ❌ ±0 

Results for commit 725c6a2. ± Comparison against base commit 430b527.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

integration-test-results-self-hosted

6 tests  ±0   6 ✅ ±0   10s ⏱️ +6s
1 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 725c6a2. ± Comparison against base commit 430b527.

@bzajzon-laserfiche bzajzon-laserfiche left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean, minimal remediation: shared jackson-version property bumped 2.18.2 -> 2.18.8 (same 2.18.x patch line, negligible behavioral risk), pom version and CHANGELOG updated consistently, and the added workflow permissions block is a nice least-privilege improvement. CVEs and tracking issues are cited in the body. All CI green including both integration suites. One non-blocking note: the pom jumped 2.2.0 -> 2.2.5 (pom was stale across 2.2.1-2.2.4) — worth confirming the release pipeline reads the pom so this publishes as 2.2.5.

@alexgomezlf alexgomezlf merged commit e08de5d into 2.x Jul 15, 2026
10 checks passed
@alexgomezlf alexgomezlf deleted the alex/fix-jackson-databind-cve-2026-54512-54513 branch July 15, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants