Krishna Chidrawar created KAFKA-20767:
-----------------------------------------

             Summary: [CVE-2026-54513] , [CVE-2026-54512] [jackson-databind] 
[2.21.2]
                 Key: KAFKA-20767
                 URL: https://issues.apache.org/jira/browse/KAFKA-20767
             Project: Kafka
          Issue Type: Bug
            Reporter: Krishna Chidrawar


h5. [CVE-2026-54513]: 
 jackson-databind contains the general-purpose data-binding functionality and 
tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 
3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists 
any array type based only on clazz.isArray(), without validating the array's 
component (element) type against the configured allowlist. A PTV built with 
allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore 
still permits EvilType[] even though EvilType is not allowlisted. When Jackson 
deserializes the elements and no per-element type IDs are present, it 
instantiates the component type directly with no further PTV check, bypassing 
the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. 

[https://nvd.nist.gov/vuln/detail/CVE-2026-54513]
h5. [CVE-2026-54512] : 
jackson-databind contains the general-purpose data-binding functionality and 
tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 
3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety 
mechanism guarding polymorphic deserialization. When polymorphic typing is 
enabled and a type identifier contains generic parameters (i.e. the type ID 
string contains <), DatabindContext._resolveAndValidateGeneric() validates only 
the raw container class name (the substring before <) against the configured 
PTV. If the container type is approved, the method parses the full canonical 
type string via TypeFactory.constructFromCanonical() and returns the fully 
parameterized type without ever validating the nested type arguments against 
the PTV. The nested type arguments are then resolved, instantiated, and 
populated as beans during deserialization. An attacker who controls the type ID 
can therefore place a denied class as a generic type parameter of an allowed 
container — for example java.util.ArrayList<com.evil.Gadget> when only 
java.util.ArrayList is allow-listed. The container passes the PTV check; 
com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, 
and its properties are set from attacker-controlled JSON. This completely 
bypasses an explicitly configured PTV allow-list. This vulnerability is fixed 
in 2.18.8, 2.21.4, and 3.1.4.

https://nvd.nist.gov/vuln/detail/CVE-2026-54512



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to