5.3
CVE-2026-54515
- EPSS 0.35%
- Veröffentlicht 23.06.2026 21:17:02
- Zuletzt bearbeitet 29.06.2026 13:38:59
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fasterxml ≫ Jackson-databind Version >= 2.8.0 < 2.18.9
Fasterxml ≫ Jackson-databind Version >= 2.19.0 < 2.21.5
Fasterxml ≫ Jackson-databind Version >= 3.0.0 < 3.1.4
Fasterxml ≫ Jackson-databind Version2.22.0
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.263 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
https://github.com/FasterXML/jackson-databind/commit/0e1b0b211f7a53baa62ba2f4c9bd006c7bf4d5fa
https://github.com/FasterXML/jackson-databind/issues/5962
https://github.com/FasterXML/jackson-databind/issues/5964
https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5jmj-h7xm-6q6v