Skip to content

[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8406

Merged
advisory-database[bot] merged 1 commit into
ataillefer/advisory-improvement-8406from
ataillefer-GHSA-5jmj-h7xm-6q6v
Jun 30, 2026
Merged

[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8406
advisory-database[bot] merged 1 commit into
ataillefer/advisory-improvement-8406from
ataillefer-GHSA-5jmj-h7xm-6q6v

Conversation

@ataillefer

Copy link
Copy Markdown

Updates

  • Affected products

Comments
For Affected versions >= 2.19.0, < 2.21.5, the Patched versions is marked as 2.21.5. Though, looking at the Maven Central repository for this artifact, the latest version above 2.21.4 is 2.22.0.

Running a grype scan of our project's artifacts with jackson-databind upgraded from 2.21.4 to 2.22.0 doesn't report the GHSA-5jmj-h7xm-6q6v vulnearbility anymore.

@github

github commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings June 30, 2026 08:32
Copilot stopped work on behalf of ataillefer due to an error June 30, 2026 08:32
@github-actions github-actions Bot changed the base branch from main to ataillefer/advisory-improvement-8406 June 30, 2026 08:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub-reviewed advisory record for GHSA-5jmj-h7xm-6q6v (jackson-databind case-insensitive deserialization bypass) by adjusting the affected-version metadata for the Maven package.

Changes:

  • Updates the advisory modified timestamp.
  • Changes the fixed version for the 2.19.0 affected range to 2.22.0.
  • Adds affected[].database_specific.last_known_affected_version_range for the same range (< 2.21.5).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

},
{
"fixed": "2.21.5"
"fixed": "2.22.0"
@cowtowncoder

Copy link
Copy Markdown

Related issue on jackson-databind: FasterXML/jackson-databind#5962
Yes, will be fixed in 2.21.5 and in 2.22.1 so change is in right direction.

@ataillefer There should also be range block for [2.22.0, 2.22.1) tho given 2.22.0 is actually vulnerable?

@ataillefer

Copy link
Copy Markdown
Author

Related issue on jackson-databind: FasterXML/jackson-databind#5962 Yes, will be fixed in 2.21.5 and in 2.22.1 so change is in right direction.

@ataillefer There should also be range block for [2.22.0, 2.22.1) tho given 2.22.0 is actually vulnerable?

Yes thanks @cowtowncoder , I wasn't aware of FasterXML/jackson-databind#5962 and the actual patch versions. Though, I don't know how to amend this pull request, since I am not authorized to push to the related branch: ataillefer-GHSA-5jmj-h7xm-6q6v. Unless closing it and reopening one via GHSA-5jmj-h7xm-6q6v and https://github.com/advisories/GHSA-5jmj-h7xm-6q6v/improve?

@advisory-database advisory-database Bot merged commit aaf4c90 into ataillefer/advisory-improvement-8406 Jun 30, 2026
5 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @ataillefer! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database Bot deleted the ataillefer-GHSA-5jmj-h7xm-6q6v branch June 30, 2026 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants