Skip to content

fix(cve): bump jackson-databind to 2.21.4 to remediate 6 CVEs#194

Merged
dkropachev merged 1 commit into
scylladb:masterfrom
nikagra:fix/cve-2026-54512-bump-jackson
Jun 30, 2026
Merged

fix(cve): bump jackson-databind to 2.21.4 to remediate 6 CVEs#194
dkropachev merged 1 commit into
scylladb:masterfrom
nikagra:fix/cve-2026-54512-bump-jackson

Conversation

@nikagra

@nikagra nikagra commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Fixes #193.

Problem

A Confluent Hub security scan of v1.1.6 flagged 7 CVEs in jackson-databind-2.21.3.jar, two of which are HIGH severity (CVSS 8.1):

CVE Severity CVSS
CVE-2026-54512 HIGH 8.1
CVE-2026-54513 HIGH 8.1
CVE-2026-54514 MEDIUM 5.3
CVE-2026-54515 MEDIUM 5.3
CVE-2026-54516 MEDIUM 5.3
CVE-2026-54517 MEDIUM 5.3
CVE-2026-54518 MEDIUM 6.5

Fix

Bump jackson.version from 2.21.32.21.4 in pom.xml.

This resolves 6 of 7 CVEs (both HIGHs + CVE-2026-54514, 54516, 54517, 54518). CVE-2026-54515 requires 2.21.5 which is not yet available on Maven Central and is tracked separately.

Notes

@nikagra nikagra force-pushed the fix/cve-2026-54512-bump-jackson branch from cc4214c to da481cb Compare June 30, 2026 13:59
@nikagra nikagra requested a review from dkropachev June 30, 2026 16:16
@dkropachev dkropachev merged commit b9be093 into scylladb:master Jun 30, 2026
7 checks passed
@nikagra nikagra deleted the fix/cve-2026-54512-bump-jackson branch July 1, 2026 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: remediate jackson-databind CVEs flagged in Confluent Hub scan of v1.1.6

2 participants