Skip to content

[BugFix][CVE] bump jackson-databind to 2.21.4 (backport #75373)#75377

Merged
wanpengfei-git merged 1 commit into
branch-4.1from
mergify/bp/branch-4.1/pr-75373
Jun 25, 2026
Merged

[BugFix][CVE] bump jackson-databind to 2.21.4 (backport #75373)#75377
wanpengfei-git merged 1 commit into
branch-4.1from
mergify/bp/branch-4.1/pr-75373

Conversation

@mergify

@mergify mergify Bot commented Jun 25, 2026
edited by wanpengfei-git
Loading

Copy link
Copy Markdown
Contributor

Bump the jackson family (jackson.version) from 2.21.1 to 2.21.4 across fe/, java-extensions/, and fs_brokers/ to remediate two jackson-databind deserialization vulnerabilities.

  • CVE-2026-54512: com.fasterxml.jackson.core:jackson-databind, affected

    = 2.10.0 < 2.21.4 (2.21.x line), fixed in 2.21.4. A class can be
    smuggled past a PolymorphicTypeValidator allow-list as a generic type argument and instantiated during deserialization (RCE).

  • CVE-2026-54513: com.fasterxml.jackson.core:jackson-databind, affected

    = 2.10.0 < 2.21.4 (2.21.x line), fixed in 2.21.4. CWE-184: the
    BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() path inadequately validates array component types, bypassing the allow-list.

jackson-databind ships directly in fe/ and is also pulled in transitively via the Hadoop/Hive/Iceberg/Paimon/Kudu/Hudi ecosystem in java-extensions/ and fs_brokers/. All trees route jackson-core / jackson-databind / jackson-dataformat-yaml / jackson-module-jaxb-annotations through the shared ${jackson.version} property in dependencyManagement (Maven) and constraints (Gradle), so the single property bump forces the patched version everywhere, including transitive pulls.

jackson-annotations.version stays at 2.21 (it has no 2.21.4 release and is not affected by these CVEs).

Why I'm doing:

What I'm doing:

Fixes #issue

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
This is an automatic backport of pull request #75373 done by [Mergify](https://mergify.com).

@kevincai @claude @mergify
[BugFix][CVE] bump jackson-databind to 2.21.4 (#75373)
5262118 
Signed-off-by: Kevin Cai <kevin.cai@phoenixdata.ai>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
(cherry picked from commit ccd82aa)
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) June 25, 2026 20:59
@mergify mergify Bot mentioned this pull request Jun 25, 2026
Merged
23 tasks
@wanpengfei-git wanpengfei-git merged commit 1ce7a63 into branch-4.1 Jun 25, 2026
38 checks passed
@wanpengfei-git wanpengfei-git deleted the mergify/bp/branch-4.1/pr-75373 branch June 25, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevincai kevincai kevincai approved these changes

Assignees

@kevincai kevincai

Labels

automerge version:4.1.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevincai @wanpengfei-git