From a216762ac1a03281600206bce66ce3c5251ce558 Mon Sep 17 00:00:00 2001 From: Prashant Pandey <84911643+suddendust@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:06:00 +0530 Subject: [PATCH 1/5] Upgrade Jackson Databind for CVE-2026-54515 Ref: https://nvd.nist.gov/vuln/detail/CVE-2026-54515 --- gradle/libs.versions.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 4ce2ada7..2beccac1 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -5,7 +5,7 @@ org-mockito = "5.8.0" org-testcontainers = "1.17.6" [libraries] -com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.8" } +com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.9" } com-github-java-json-tools-json-patch = { module = "com.github.java-json-tools:json-patch", version = "1.13" } com-google-guava = { module = "com.google.guava:guava", version = "32.0.1-jre" } com-typesafe-config = { module = "com.typesafe:config", version = "1.4.2" } From 89e89827af6732ab099c7e1b47af4528d6143b4c Mon Sep 17 00:00:00 2001 From: Prashant Pandey <84911643+suddendust@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:09:19 +0530 Subject: [PATCH 2/5] Update libs.versions.toml --- gradle/libs.versions.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 2beccac1..177653cf 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -5,7 +5,7 @@ org-mockito = "5.8.0" org-testcontainers = "1.17.6" [libraries] -com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.9" } +com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.21.5" } com-github-java-json-tools-json-patch = { module = "com.github.java-json-tools:json-patch", version = "1.13" } com-google-guava = { module = "com.google.guava:guava", version = "32.0.1-jre" } com-typesafe-config = { module = "com.typesafe:config", version = "1.4.2" } From df125b404bd195112e6a5d3ab4705c39b322fa32 Mon Sep 17 00:00:00 2001 From: Prashant Pandey <84911643+suddendust@users.noreply.github.com> Date: Thu, 2 Jul 2026 10:19:19 +0530 Subject: [PATCH 3/5] Update libs.versions.toml --- gradle/libs.versions.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 177653cf..2beccac1 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -5,7 +5,7 @@ org-mockito = "5.8.0" org-testcontainers = "1.17.6" [libraries] -com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.21.5" } +com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.9" } com-github-java-json-tools-json-patch = { module = "com.github.java-json-tools:json-patch", version = "1.13" } com-google-guava = { module = "com.google.guava:guava", version = "32.0.1-jre" } com-typesafe-config = { module = "com.typesafe:config", version = "1.4.2" } From 190e4fdb292df0352627f9ed8a21f8a72088fb61 Mon Sep 17 00:00:00 2001 From: Prashant Pandey Date: Thu, 2 Jul 2026 10:31:27 +0530 Subject: [PATCH 4/5] Add suppression for 2.18.8 --- gradle/libs.versions.toml | 2 +- owasp-suppressions.xml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 2beccac1..4ce2ada7 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -5,7 +5,7 @@ org-mockito = "5.8.0" org-testcontainers = "1.17.6" [libraries] -com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.9" } +com-fasterxml-jackson-core-jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.18.8" } com-github-java-json-tools-json-patch = { module = "com.github.java-json-tools:json-patch", version = "1.13" } com-google-guava = { module = "com.google.guava:guava", version = "32.0.1-jre" } com-typesafe-config = { module = "com.typesafe:config", version = "1.4.2" } diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml index d9807a92..efeead26 100644 --- a/owasp-suppressions.xml +++ b/owasp-suppressions.xml @@ -17,4 +17,15 @@ ^pkg:maven/org\.postgresql/postgresql@.*$ CVE-2020-21469 + + + ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ + REPLACE_WITH_CVE_FROM_ADVISORY + From 329e066d26a45fd92c0ecced7ae0028e64d83a2e Mon Sep 17 00:00:00 2001 From: Prashant Pandey Date: Thu, 2 Jul 2026 13:26:32 +0530 Subject: [PATCH 5/5] Fix CVE name --- owasp-suppressions.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml index efeead26..8166a256 100644 --- a/owasp-suppressions.xml +++ b/owasp-suppressions.xml @@ -26,6 +26,6 @@ bump jackson-bom to 2.18.9 once it resolves. ]]> ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ - REPLACE_WITH_CVE_FROM_ADVISORY + CVE-2026-54515