Krishna Chidrawar created KAFKA-20773:
-----------------------------------------
Summary: [CVE-2026-54515][jackson-databind]
Key: KAFKA-20773
URL: https://issues.apache.org/jira/browse/KAFKA-20773
Project: Kafka
Issue Type: Bug
Reporter: Krishna Chidrawar
Description : jackson-databind contains the general-purpose data-binding
functionality and tree-model for Jackson Data Processor. From 2.8.0 until
2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(),
per-property @JsonIgnoreProperties exclusions are applied by
_handleByNameInclusion(), producing a contextual deserializer whose
BeanPropertyMap has the ignored properties removed. The subsequent per-property
case-insensitivity block (triggered by
@JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from
this._beanProperties (the original, unfiltered map) instead of
contextual._beanProperties, then overwrites the filtered map — restoring every
property _handleByNameInclusion had just removed. The ignored property becomes
writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
*NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-54515]
Fix Version : 2.18.9, 2.21.5, and 3.1.4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)