[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8676
Conversation
|
Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Still missing fixed version! Would you please merge? |
|
Added "fixed" events for all four patch releases — all are now out and confirmed to include the CVE-2026-54515 fix per their official release wikis: 2.18.9 — Jackson Release 2.18.9 wiki | Maven Central Also added the missing "fixed": "3.1.4" event to the com.fasterxml.jackson.core 3.x range (only the tools.jackson.core entry had it), and added all four wiki release pages as references in the JSON. |
That is incorrect: 3.x is only for |
Updates
Comments
the fixed version is missing, confusing the osv scanner producing false positives for the fixed version.