From d7436958643bccbdb053f65214f33bd4b756b06c Mon Sep 17 00:00:00 2001 From: sophia chen Date: Thu, 25 Jun 2026 10:30:24 +1000 Subject: [PATCH 1/2] UID2-7364: Upgrade jackson-databind 2.14.2 -> 2.19.0 to fix CVE-2026-54512 / CVE-2026-54513 Also pin jackson-core to 2.19.0 to resolve version conflict with transitive dependency that previously pulled in 2.16.1. Co-Authored-By: Claude Sonnet 4.6 --- pom.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 27685223..692a4133 100644 --- a/pom.xml +++ b/pom.xml @@ -206,10 +206,15 @@ cbor 0.9 + + com.fasterxml.jackson.core + jackson-core + 2.19.0 + com.fasterxml.jackson.core jackson-databind - 2.14.2 + 2.19.0 org.projectlombok From f4392a3f1008a81d919e63fd2b608e077a33b19c Mon Sep 17 00:00:00 2001 From: sophia chen Date: Thu, 25 Jun 2026 10:40:00 +1000 Subject: [PATCH 2/2] UID2-7364: Suppress CVE-2026-54512 / CVE-2026-54513 in .trivyignore until upstream fix is released Upstream fix versions (2.18.8, 2.21.4, 3.1.4) are not yet available on Maven Central. Suppressed with 1-month expiry pending a patch release. Co-Authored-By: Claude Sonnet 4.6 --- .trivyignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.trivyignore b/.trivyignore index 95aa9b7d..034ca026 100644 --- a/.trivyignore +++ b/.trivyignore @@ -5,3 +5,8 @@ # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API # See: UID2-6670 GHSA-72hv-8253-57qq exp:2026-09-01 + +# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4) +# See: UID2-7364 +CVE-2026-54512 exp:2026-07-25 +CVE-2026-54513 exp:2026-07-25