Krishna Chidrawar created KAFKA-20767:
-----------------------------------------
Summary: [CVE-2026-54513] , [CVE-2026-54512] [jackson-databind]
[2.21.2]
Key: KAFKA-20767
URL: https://issues.apache.org/jira/browse/KAFKA-20767
Project: Kafka
Issue Type: Bug
Reporter: Krishna Chidrawar
h5. [CVE-2026-54513]:
jackson-databind contains the general-purpose data-binding functionality and
tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and
3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists
any array type based only on clazz.isArray(), without validating the array's
component (element) type against the configured allowlist. A PTV built with
allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore
still permits EvilType[] even though EvilType is not allowlisted. When Jackson
deserializes the elements and no per-element type IDs are present, it
instantiates the component type directly with no further PTV check, bypassing
the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
[https://nvd.nist.gov/vuln/detail/CVE-2026-54513]
h5. [CVE-2026-54512] :
jackson-databind contains the general-purpose data-binding functionality and
tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and
3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety
mechanism guarding polymorphic deserialization. When polymorphic typing is
enabled and a type identifier contains generic parameters (i.e. the type ID
string contains <), DatabindContext._resolveAndValidateGeneric() validates only
the raw container class name (the substring before <) against the configured
PTV. If the container type is approved, the method parses the full canonical
type string via TypeFactory.constructFromCanonical() and returns the fully
parameterized type without ever validating the nested type arguments against
the PTV. The nested type arguments are then resolved, instantiated, and
populated as beans during deserialization. An attacker who controls the type ID
can therefore place a denied class as a generic type parameter of an allowed
container — for example java.util.ArrayList<com.evil.Gadget> when only
java.util.ArrayList is allow-listed. The container passes the PTV check;
com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated,
and its properties are set from attacker-controlled JSON. This completely
bypasses an explicitly configured PTV allow-list. This vulnerability is fixed
in 2.18.8, 2.21.4, and 3.1.4.
https://nvd.nist.gov/vuln/detail/CVE-2026-54512
--
This message was sent by Atlassian Jira
(v8.20.10#820010)