[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8112
Conversation
|
Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
pjfanning/advisory-improvement-8112
| "events": [ | ||
| { | ||
| "introduced": "3.1.0" | ||
| "introduced": "2.22.0" |
There was a problem hiding this comment.
this section treats v3 jackson as com.fasterxml - so I reused it for v2.22
there is another pre-existing tools.jackson section covering the v3 affected versions anyway
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory record for jackson-databind to reflect the newly confirmed patched release in the 2.22 line, keeping the advisory’s human-readable description and machine-readable affected ranges aligned.
Changes:
- Adds 2.22.1 to the “Affected / Patched” section in
details. - Updates the Maven
affected.rangesentry to represent the 2.22.0 → 2.22.1 vulnerable window. - Bumps the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "2.22.0" | ||
| }, | ||
| { | ||
| "fixed": "3.1.4" | ||
| "fixed": "2.22.1" | ||
| } |
Updates
Comments
update fix versions, including 2.22.1 -- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.22.1