Skip to content

[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8626

Open
surli wants to merge 1 commit into
surli/advisory-improvement-8626from
surli-GHSA-5jmj-h7xm-6q6v
Open

[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8626
surli wants to merge 1 commit into
surli/advisory-improvement-8626from
surli-GHSA-5jmj-h7xm-6q6v

Conversation

@surli

@surli surli commented Jul 8, 2026

Copy link
Copy Markdown

Updates

  • Affected products

Comments
The patched versions were missing leading to missing data in the JSON used by the vulnerability scanners: in particular, a last_known_affected_version_range was used instead of last_affected. See also the discussion and explanation for avoiding to use < without a patch version in #470 (comment)

@github

github commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@surli

surli commented Jul 8, 2026

Copy link
Copy Markdown
Author

To give a bit more context: we upgraded to jackson 2.21.5 yesterday and we're still receiving alerts about the CVE because of this.

@github-actions github-actions Bot changed the base branch from main to surli/advisory-improvement-8626 July 8, 2026 13:36

@cowtowncoder cowtowncoder left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cowtowncoder

Copy link
Copy Markdown

Thank you @surli.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants