Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-54514 (GCVE-0-2026-54514)
Vulnerability from cvelistv5 – Published: 2026-06-23 20:51 – Updated: 2026-06-25 12:59- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/sec… | x_refsource_CONFIRM |
| https://github.com/FasterXML/jackson-databind/pull/5951 | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| FasterXML | jackson-databind |
Affected:
>= 2.0.0, < 2.18.8
Affected: >= 2.19.0, < 2.21.4 Affected: >= 3.0.0, < 3.1.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:59:31.298188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:59:39.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T20:52:38.568Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5"
},
{
"name": "https://github.com/FasterXML/jackson-databind/pull/5951",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5951"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4"
}
],
"source": {
"advisory": "GHSA-hgj6-7826-r7m5",
"discovery": "UNKNOWN"
},
"title": "jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54514",
"datePublished": "2026-06-23T20:51:50.612Z",
"dateReserved": "2026-06-15T18:01:15.514Z",
"dateUpdated": "2026-06-25T12:59:39.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-54514",
"date": "2026-07-13",
"epss": "0.00219",
"percentile": "0.12303"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-54514\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-23T21:17:02.467\",\"lastModified\":\"2026-06-27T20:55:09.610\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"FasterXML\",\"product\":\"jackson-databind\",\"versions\":[{\"version\":\"\u003e= 2.0.0, \u003c 2.18.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 2.19.0, \u003c 2.21.4\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.0.0, \u003c 3.1.4\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-25T12:59:31.298188Z\",\"id\":\"CVE-2026-54514\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.18.8\",\"matchCriteriaId\":\"F2F45F92-21A6-4F21-B90C-FE73B2FA65B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.19.0\",\"versionEndExcluding\":\"2.21.4\",\"matchCriteriaId\":\"59601D96-4AB4-4B53-8DEC-305A6D442E6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.4\",\"matchCriteriaId\":\"5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C\"}]}]}],\"references\":[{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/pull/5951\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-13T14:55:58+00:00",
"cve": "CVE-2026-54514",
"id": "CVE-2026-54514",
"initial_release_date": "2026-06-23T20:51:50.612000+00:00",
"product_status:known_affected": "101",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54514.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54514\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T12:59:31.298188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T12:59:35.285Z\"}}], \"cna\": {\"title\": \"jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)\", \"source\": {\"advisory\": \"GHSA-hgj6-7826-r7m5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"FasterXML\", \"product\": \"jackson-databind\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.18.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.19.0, \u003c 2.21.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.1.4\"}]}], \"references\": [{\"url\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\", \"name\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/pull/5951\", \"name\": \"https://github.com/FasterXML/jackson-databind/pull/5951\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\", \"name\": \"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T20:52:38.568Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-54514\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-25T12:59:39.055Z\", \"dateReserved\": \"2026-06-15T18:01:15.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T20:51:50.612Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-54514
Vulnerability from fkie_nvd - Published: 2026-06-23 21:17 - Updated: 2026-06-27 20:55| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * |
{
"affected": [
{
"affectedData": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2F45F92-21A6-4F21-B90C-FE73B2FA65B7",
"versionEndExcluding": "2.18.8",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59601D96-4AB4-4B53-8DEC-305A6D442E6E",
"versionEndExcluding": "2.21.4",
"versionStartIncluding": "2.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C",
"versionEndExcluding": "3.1.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
}
],
"id": "CVE-2026-54514",
"lastModified": "2026-06-27T20:55:09.610",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-54514",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:59:31.298188Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-23T21:17:02.467",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/FasterXML/jackson-databind/pull/5951"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-HGJ6-7826-R7M5
Vulnerability from github – Published: 2026-06-23 21:22 – Updated: 2026-06-23 21:22Summary
JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.
Impact
An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.
Affected / Patched (verified via git tag --contains on 1f5a103)
- 2.18 line:
>= 2.18.0, < 2.18.8-> fixed in 2.18.8 - 2.19-2.21 line:
>= 2.19.0, < 2.21.4-> fixed in 2.21.4 - 3.x line:
>= 3.0.0, < 3.1.4-> fixed in 3.1.4
Severity / CWE
Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).
Upstream fix
FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.18.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.19.0"
},
{
"fixed": "2.21.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "tools.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.19.0"
},
{
"fixed": "2.21.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "tools.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54514"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T21:22:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n`JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAddress` field issues an attacker-chosen DNS query during `readValue`, before any application-level validation or connect logic. The fix uses `InetSocketAddress.createUnresolved(host, port)`, deferring DNS to an explicit connect.\n\n## Impact\nAn attacker controlling JSON deserialized into an `InetSocketAddress`-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.\n\n## Affected / Patched (verified via `git tag --contains` on `1f5a103`)\n- 2.18 line: `\u003e= 2.18.0, \u003c 2.18.8` -\u003e fixed in **2.18.8**\n- 2.19-2.21 line: `\u003e= 2.19.0, \u003c 2.21.4` -\u003e fixed in **2.21.4**\n- 3.x line: `\u003e= 3.0.0, \u003c 3.1.4` -\u003e fixed in **3.1.4**\n\n## Severity / CWE\nMaintainer: minor. Reporter: LOW. CWE-918 (SSRF).\n\n## Upstream fix\nFasterXML/jackson-databind#5951 (\"Improve InetSocketAddress deserialization\"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.\n\n## Credits\nOmkhar Arasaratnam (@omkhar) - finder.",
"id": "GHSA-hgj6-7826-r7m5",
"modified": "2026-06-23T21:22:54Z",
"published": "2026-06-23T21:22:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/pull/5951"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)"
}
OPENSUSE-SU-2026:11118-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64 | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jackson-databind-2.18.8-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jackson-databind-2.18.8-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11118",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11118-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54513 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54514 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54515 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54515/"
}
],
"title": "jackson-databind-2.18.8-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11118-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-1.1.aarch64",
"product": {
"name": "jackson-databind-2.18.8-1.1.aarch64",
"product_id": "jackson-databind-2.18.8-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
"product": {
"name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
"product_id": "jackson-databind-javadoc-2.18.8-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-1.1.ppc64le",
"product": {
"name": "jackson-databind-2.18.8-1.1.ppc64le",
"product_id": "jackson-databind-2.18.8-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"product": {
"name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"product_id": "jackson-databind-javadoc-2.18.8-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-1.1.s390x",
"product": {
"name": "jackson-databind-2.18.8-1.1.s390x",
"product_id": "jackson-databind-2.18.8-1.1.s390x"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
"product": {
"name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
"product_id": "jackson-databind-javadoc-2.18.8-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-1.1.x86_64",
"product": {
"name": "jackson-databind-2.18.8-1.1.x86_64",
"product_id": "jackson-databind-2.18.8-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
"product": {
"name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
"product_id": "jackson-databind-javadoc-2.18.8-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64"
},
"product_reference": "jackson-databind-2.18.8-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le"
},
"product_reference": "jackson-databind-2.18.8-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x"
},
"product_reference": "jackson-databind-2.18.8-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64"
},
"product_reference": "jackson-databind-2.18.8-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64"
},
"product_reference": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le"
},
"product_reference": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x"
},
"product_reference": "jackson-databind-javadoc-2.18.8-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
},
"product_reference": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-54513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54513"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54513",
"url": "https://www.suse.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "SUSE Bug 1268898 for CVE-2026-54513",
"url": "https://bugzilla.suse.com/1268898"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-54513"
},
{
"cve": "CVE-2026-54514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54514"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54514",
"url": "https://www.suse.com/security/cve/CVE-2026-54514"
},
{
"category": "external",
"summary": "SUSE Bug 1268899 for CVE-2026-54514",
"url": "https://bugzilla.suse.com/1268899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54514"
},
{
"cve": "CVE-2026-54515",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54515"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54515",
"url": "https://www.suse.com/security/cve/CVE-2026-54515"
},
{
"category": "external",
"summary": "SUSE Bug 1268902 for CVE-2026-54515",
"url": "https://bugzilla.suse.com/1268902"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54515"
}
]
}
SUSE-SU-2026:22504-1
Vulnerability from csaf_suse - Published: 2026-07-01 08:56 - Updated: 2026-07-01 08:56| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jackson-annotations, jackson-core, jackson-databind",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues\n\n- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows\n arbitrary class instantiation (bsc#1268897).\n- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).\n- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).\n- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties\n (bsc#1268902).\n- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).\n\nChanges for jackson-annotations:\n\n- Update to 2.18.8\n * No changes since 2.17.3\n\nChanges for jackson-core:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #1611: Apply number-length validator on streaming integer path\n of async parser\n * Changes of 2.18.7\n + #1570: Fail parsing from \u0027DataInput\u0027 if \u0027StreamReadConstraints\n .getMaxDocumentLength()\u0027 set\n (bsc#1268603, GHSA-2m67-wjpj-xhg9)\n + #1600: Rework 3rd party licenses in jar\n + #1602: \u0027UTF8DataInputJsonParser\u0027 needs to enforce\n \u0027StreamReadConstraints.maxNameLength\u0027 limit\n * Changes of 2.18.6\n + #1512: Number-parsing fix for \u0027UTF8DataInputJsonParser\u0027\n + #1548: \u0027StreamReadConstraints.maxDocumentLength\u0027 not checked\n when creating parser with fixed buffer\n + #1555: Enforce \u0027StreamReadConstraints.maxNumberLength\u0027 for\n non-blocking (async) parser\n * Changes of 2.18.5\n + #1433: \u0027JsonParser#getNumberType()\u0027 throws\n \u0027JsonParseException\u0027 when the current token is non-numeric\n instead of returning null\n + #1446: Invalid package reference to \"java.lang.foreign\" from\n \u0027com.fasterxml.jackson.core:jackson-core\u0027 (from\n \u0027FastDoubleParser\u0027)\n * Changes of 2.18.3\n + #1391: Fix issue where the parser can read back old number\n state when parsing later numbers\n + #1397: Jackson changes additional values to infinite in case\n of special JSON structures and existing infinite values\n + #1398: Fix issue that feature\n COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn\u0027t work when custom\n characterEscape is used\n * Changes of 2.18.2\n + #1359: Non-surrogate characters being incorrectly combined\n when \u0027JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8\u0027 is\n enabled\n * Changes of 2.18.1\n + #1353: Use fastdoubleparser 1.0.90\n * Changes of 2.18.\n + #223: \u0027UTF8JsonGenerator\u0027 writes supplementary characters as a\n surrogate pair: should use 4-byte encoding\n + #1230: Improve performance of \u0027float\u0027 and \u0027double\u0027 parsing\n from \u0027TextBuffer\u0027\n + #1251: \u0027InternCache\u0027 replace synchronized with \u0027ReentrantLock\u0027\n - the cache size limit is no longer strictly enforced for\n performance reasons but we should never go far about the limit\n + #1252: \u0027ThreadLocalBufferManager\u0027 replace synchronized with\n \u0027ReentrantLock\u0027\n + #1257: Increase InternCache default max size from 100 to 200\n + #1262: Add diagnostic method \u0027pooledCount()\u0027 in \u0027RecyclerPool\u0027\n + #1264: Rename shaded \u0027ch.randelshofer:fastdoubleparser\u0027\n classes to prevent use by downstream consumers\n + #1271: Deprecate \u0027LockFreePool\u0027 implementation in 2.18 (remove\n from 3.0)\n + #1274: \u0027NUL\u0027-corrupted keys, values on JSON serialization\n + #1277: Add back Java 22 optimisation in FastDoubleParser\n + #1284: Optimize \u0027JsonParser.getDoubleValue()/getFloatValue()\n /getDecimalValue()\u0027 to avoid String allocation\n + #1305: Make helper methods of \u0027WriterBasedJsonGenerator\u0027\n non-final to allow overriding\n + #1310: Add new \u0027StreamReadConstraints\u0027 (\u0027maxTokenCount\u0027) to\n limit maximum number of Tokens allowed per document#\n + #1331: Update to FastDoubleParser v1.0.1 to fix \u0027BigDecimal\u0027\n decoding proble\n\nChanges for jackson-databind:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #5950: Improve \u0027UUIDeserializer\u0027 error handling\n + #5951: Improve \u0027InetSocketAddress\u0027 deserialization\n (bsc#1268899, CVE-2026-54514)\n + #5969: \u0027@JsonView\u0027 by-passed for some \"setterless\" creator\n properties\n + #5971: \u0027@JsonView\u0027 by-passed for unwrapped creator parameters\n + #5974: \u0027@JsonIgnore\u0027 on Record property ignored with\n \u0027PropertyNamingStrategy\u0027\n + #5981: \u0027BasicPolymorphicTypeValidator\u0027 setting\n \u0027allowIfSubTypeIsArray()\u0027 should validate element type\n (bsc#1268898, CVE-2026-54513)\n + #5988: \u0027PolymorphicTypeValidator\u0027 needs to validate generic\n type parameters too (bsc#1268897, CVE-2026-54512)\n + #5993: \u0027UPPER_SNAKE_CASE\u0027 / \u0027LOWER_CASE\u0027 \u0027NamingStrategyImpls\u0027\n fold case using JVM default locale (Turkish-I bug)\n * Changes of 2.18.4\n + #4628: \u0027@JsonIgnore\u0027 and \u0027@JsonProperty.access=READ_ONLY\u0027 on\n Record property ignored for deserialization\n + #5049: Duplicate creator property \"b\" (index 0 vs 1) on simple\n java record\n * Changes of 2.18.3\n + #4444: The \u0027KeyDeserializer\u0027 specified in the class with\n \u0027@JsonDeserialize(keyUsing = ...)\u0027 is overwritten by the\n \u0027KeyDeserializer\u0027 specified in the \u0027ObjectMapper\u0027.\n + #4827: Subclassed Throwable deserialization fails since\n v2.18.0 - no creator index for property \u0027cause\u0027\n + #4844: Fix wrapped array handling wrt \u0027null\u0027 by\n \u0027StdDeserializer\u0027\n + #4848: Avoid type pollution in \u0027StringCollectionDeserializer\u0027\n + #4860: \u0027ConstructorDetector.USE_PROPERTIES_BASED\u0027 does not\n work with multiple constructors since 2.18\n + #4878: When serializing a Map via\n Converter(StdDelegatingSerializer), a NullPointerException is\n thrown due to missing key serializer\n + #4908: Deserialization behavior change with @JsonCreator and\n @ConstructorProperties between 2.17 and 2.18\n + #4917: \u0027BigDecimal\u0027 deserialization issue when using\n \u0027@JsonCreator\u0027\n + #4920: Creator properties are ignored on abstract types when\n collecting bean properties, breaking AsExternalTypeDeserializer\n + #4922: Failing \u0027@JsonMerge\u0027 with a custom Map\n + #4932: Conversion of \u0027MissingNode\u0027 throws\n \u0027JsonProcessingException\u0027\n * Changes of 2.18.2\n + #4733: Wrong serialization of Type Ids for certain types of\n Enum values\n + #4742: Deserialization with Builder, External type id,\n \u0027@JsonCreator\u0027 failing\n + #4777: \u0027StdValueInstantiator.withArgsCreator\u0027 is now set for\n creators with no arguments\n + #4783 Possibly wrong behavior of @JsonMerge\n + #4787: Wrong \u0027String.format()\u0027 in \u0027StdDelegatingDeserializer\u0027\n hides actual error\n + #4788: \u0027EnumFeature.WRITE_ENUMS_TO_LOWERCASE\u0027 overrides\n \u0027@JsonProperty\u0027 values\n + #4790: Fix \u0027@JsonAnySetter\u0027 issue with \"setter\" method\n (related to #4639)\n + #4807: Improve \u0027FactoryBasedEnumDeserializer\u0027 to work better\n with XML module\n + #4810: Deserialization using \u0027@JsonCreator\u0027 with renamed\n property failing (since 2.18)\n * Changes of 2.18.1\n + #4508: Deserialized JsonAnySetter field in Kotlin data class\n is null\n + #4639: @JsonAnySetter on field ignoring unrecognized\n properties if they are declared before the last recognized\n properties in JSON\n + #4718: Should not fail on trying to serialize\n \u0027java.time.DateTimeException\u0027\n + #4724: Deserialization behavior change with Records,\n \u0027@JsonCreator\u0027 and \u0027@JsonValue\u0027 between 2.17 and 2.18\n + #4727: Eclipse having issues due\u0027module-info\u0027 class \"lost\" on\n 2.18.0 jars\n + #4741: When \u0027Include.NON_DEFAULT\u0027 setting is used on POJO,\n empty values are not included in json if default is \u0027null\u0027\n + #4749: Fixed a problem with\n \u0027StdDelegatingSerializer#serializeWithType\u0027 looking up the\n serializer with the wrong argument\n * Changes of 2.18.0\n + #562: Allow \u0027@JsonAnySetter\u0027 to flow through Creators\n + #806: Problem with \u0027NamingStrategy\u0027, creator methods with\n implicit names\n + #2977: Incompatible \u0027FAIL_ON_MISSING_PRIMITIVE_PROPERTIES\u0027 and\n field level \u0027@JsonProperty\u0027\n + #3120: Return \u0027ListIterator\u0027 from \u0027ArrayNode.elements()\u0027\n + #3241: \u0027constructorDetector\u0027 seems to invalidate\n \u0027defaultSetterInfo\u0027 for nullability\n + #3439: Java Record \u0027@JsonAnySetter\u0027 value is null after\n deserialization\n + #4085: \u0027@JsonView\u0027 does not work on class-level for records\n + #4119: Exception when deserialization uses a record with a\n constructor property with \u0027access=READ_ONLY\u0027\n + #4356: \u0027BeanDeserializerModifier::updateBuilder()\u0027 doesn\u0027t\n work for beans with Creator methods\n + #4407: \u0027null\u0027 type id handling does not work with\n \u0027writeTypePrefix()\u0027\n + #4452: \u0027@JsonProperty\u0027 not serializing field names properly on\n \u0027@JsonCreator\u0027 in Record\n + #4453: Allow JSON Integer to deserialize into a single-arg\n constructor of parameter type \u0027double\u0027\n + #4456: Rework locking in \u0027DeserializerCache\u0027\n + #4458: Rework synchronized block from \u0027BeanDeserializerBase\u0027\n + #4464: When \u0027Include.NON_DEFAULT\u0027 setting is used, \u0027isEmpty()\u0027\n method is not called on the serializer\n + #4472: Rework synchronized block in \u0027TypeDeserializerBase\u0027\n + #4483: Remove \u0027final\u0027 on method BeanSerializer.serialize()\n + #4515: Rewrite Bean Property Introspection logic in Jackson\n 2.x\n + #4545: Unexpected deserialization behavior with\n \u0027@JsonCreator\u0027, \u0027@JsonProperty\u0027 and javac \u0027-parameters\u0027\n + #4570: Deprecate \u0027ObjectMapper.canDeserialize()\u0027/\u0027ObjectMapper\n .canSerialize()\u0027\n + #4580: Add \u0027MapperFeature\n .SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER\u0027 to use Creator\n properties\u0027 declaration order for sorting\n + #4584: Provide extension point for detecting \"primary\"\n Constructor for Kotlin (and similar) data classes\n + #4602: Possible wrong use of _arrayDelegateDeserializer in\n BeanDeserializerBase::deserializeFromObjectUsingNonDefault()\n + #4617: Record property serialization order not preserved\n + #4626: \u0027@JsonIgnore\u0027 on Record property ignored for\n deserialization, if there is getter override\n + #4630: \u0027@JsonIncludeProperties\u0027, \u0027@JsonIgnoreProperties\u0027\n ignored when serializing Records, if there is getter override\n + #4634: \u0027@JsonAnySetter\u0027 not working when annotated on both\n constructor parameter \u0026 field\n + #4678: Java records don\u0027t serialize with \u0027MapperFeature\n .REQUIRE_SETTERS_FOR_GETTERS\u0027\n + #4688: Should allow deserializing with no-arg\n \u0027@JsonCreator(mode = DELEGATING)\u0027\n + #4694: Deserializing \u0027BigDecimal\u0027 with large number of\n decimals result in incorrect value\n + #4699: Add extra \u0027writeNumber()\u0027 method in \u0027TokenBuffer\u0027\n + #4709: Add \u0027JacksonCollectors\u0027 with \u0027toArrayNode()\u0027\n implementation\n + Fix #5962: Case-insensitive deserialization may use wrong\n @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-1124",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22504-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22504-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622504-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22504-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-July/048006.html"
},
{
"category": "self",
"summary": "SUSE Bug 1268603",
"url": "https://bugzilla.suse.com/1268603"
},
{
"category": "self",
"summary": "SUSE Bug 1268897",
"url": "https://bugzilla.suse.com/1268897"
},
{
"category": "self",
"summary": "SUSE Bug 1268898",
"url": "https://bugzilla.suse.com/1268898"
},
{
"category": "self",
"summary": "SUSE Bug 1268899",
"url": "https://bugzilla.suse.com/1268899"
},
{
"category": "self",
"summary": "SUSE Bug 1268902",
"url": "https://bugzilla.suse.com/1268902"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54512 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54513 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54514 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54515 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54515/"
}
],
"title": "Security update for jackson-annotations, jackson-core, jackson-databind",
"tracking": {
"current_release_date": "2026-07-01T08:56:00Z",
"generator": {
"date": "2026-07-01T08:56:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22504-1",
"initial_release_date": "2026-07-01T08:56:00Z",
"revision_history": [
{
"date": "2026-07-01T08:56:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-54512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54512"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container - for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54512",
"url": "https://www.suse.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "SUSE Bug 1268897 for CVE-2026-54512",
"url": "https://bugzilla.suse.com/1268897"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54512"
},
{
"cve": "CVE-2026-54513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54513"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54513",
"url": "https://www.suse.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "SUSE Bug 1268898 for CVE-2026-54513",
"url": "https://bugzilla.suse.com/1268898"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54513"
},
{
"cve": "CVE-2026-54514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54514"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54514",
"url": "https://www.suse.com/security/cve/CVE-2026-54514"
},
{
"category": "external",
"summary": "SUSE Bug 1268899 for CVE-2026-54514",
"url": "https://bugzilla.suse.com/1268899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54514"
},
{
"cve": "CVE-2026-54515",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54515"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54515",
"url": "https://www.suse.com/security/cve/CVE-2026-54515"
},
{
"category": "external",
"summary": "SUSE Bug 1268902 for CVE-2026-54515",
"url": "https://bugzilla.suse.com/1268902"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54515"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.