Skip to content

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-core, com.fasterxml.jackson.core:jackson-databind #4057

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/maven/0-1783381685
Open

fix(deps): vuln minor: com.fasterxml.jackson.core:jackson-core, com.fasterxml.jackson.core:jackson-databind #4057
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/maven/0-1783381685

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • . (maven)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
com.fasterxml.jackson.core:jackson-databind 2.20.1 2.22.0 minor Direct 2 HIGH, 2 MEDIUM
com.fasterxml.jackson.core:jackson-core 2.20.1 2.22.0 minor Direct 1 MEDIUM

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
com.fasterxml.jackson.core:jackson-databind GHSA-j3rv-43j4-c7qm HIGH jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation 2.20.1 2.18.8 -
com.fasterxml.jackson.core:jackson-databind GHSA-rmj7-2vxq-3g9f HIGH jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) 2.20.1 2.18.8 -
ℹ️ Other Vulnerabilities (3)
Package CVE Severity Summary Unsafe Version Fixed In Case
com.fasterxml.jackson.core:jackson-core GHSA-72hv-8253-57qq MODERATE jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition 2.20.1 2.21.1 -
com.fasterxml.jackson.core:jackson-databind GHSA-5jmj-h7xm-6q6v MODERATE jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties 2.20.1 - -
com.fasterxml.jackson.core:jackson-databind GHSA-hgj6-7826-r7m5 MODERATE jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) 2.20.1 2.18.8 -
⚠️ Dependencies that have Reached EOL (2)
Dependency Unsafe Version EOL Date New Version Path
com.fasterxml.jackson.core:jackson-core 2.20.1 - 2.22.0 pom.xml
com.fasterxml.jackson.core:jackson-databind 2.20.1 - 2.22.0 pom.xml

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@dd-prapprover-prod-77c48c

dd-prapprover-prod-77c48c Bot commented Jul 7, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-07-07T13:24:49Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Author

Auto-rebase complete

Branch is up to date with master — rebased onto 23982f0.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-6cbbf8 dd-octo-sts-6cbbf8 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/maven/0-1783381685 branch from 67c46d4 to 15d6a51 Compare July 13, 2026 18:56
@datadog-prod-us1-3

datadog-prod-us1-3 Bot commented Jul 13, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Ensure labels | changelog   View in Datadog   GitHub Actions

🧪 4 Tests failed in 1 job

Run Tests | test   GitHub Actions

Validate API key returns "Forbidden" response from classpath:com/datadog/api/client/v1/api/authentication.feature:Authentication   View in Datadog
Could not initialize class com.fasterxml.jackson.databind.ObjectMapper
Validate API key returns "Forbidden" response from classpath:com/datadog/api/client/v1/api/authentication.feature:Authentication   View in Datadog
Could not initialize class com.fasterxml.jackson.databind.ObjectMapper

View all failed tests

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d1784d8 | Docs | Datadog PR Page | Give us feedback!

…xml.jackson.core:jackson-databind

Co-authored-by: dd-octo-sts-6cbbf8[bot] <256648585+dd-octo-sts-6cbbf8[bot]@users.noreply.github.com>
@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Author

Auto-rebase complete

Branch is up to date with master — rebased onto b21a64f.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-4aefcb dd-octo-sts-4aefcb Bot force-pushed the engraver-auto-version-upgrade/minorpatch/maven/0-1783381685 branch from 15d6a51 to d1784d8 Compare July 13, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants