Krishna Chidrawar created KAFKA-20773:
-----------------------------------------

             Summary: [CVE-2026-54515][jackson-databind]
                 Key: KAFKA-20773
                 URL: https://issues.apache.org/jira/browse/KAFKA-20773
             Project: Kafka
          Issue Type: Bug
            Reporter: Krishna Chidrawar


 Description : jackson-databind contains the general-purpose data-binding 
functionality and tree-model for Jackson Data Processor. From 2.8.0 until 
2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), 
per-property @JsonIgnoreProperties exclusions are applied by 
_handleByNameInclusion(), producing a contextual deserializer whose 
BeanPropertyMap has the ignored properties removed. The subsequent per-property 
case-insensitivity block (triggered by 
@JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from 
this._beanProperties (the original, unfiltered map) instead of 
contextual._beanProperties, then overwrites the filtered map — restoring every 
property _handleByNameInclusion had just removed. The ignored property becomes 
writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
*NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-54515]

Fix Version :  2.18.9, 2.21.5, and 3.1.4.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to