Skip to content

fix(security): bump jackson-databind to 2.18.8#160

Open
alexgomezlf wants to merge 7 commits into
v2from
alex/fix-jackson-databind-cve-2026-54512-54513
Open

fix(security): bump jackson-databind to 2.18.8#160
alexgomezlf wants to merge 7 commits into
v2from
alex/fix-jackson-databind-cve-2026-54512-54513

Conversation

@alexgomezlf

Copy link
Copy Markdown
Contributor

Bumps the shared jackson-version property from 2.18.2 to 2.18.8 to remediate two Veracode-flagged CVEs in jackson-databind:

  • CVE-2026-54512 — PolymorphicTypeValidator bypass via generic type parameters
  • CVE-2026-54513 — PolymorphicTypeValidator bypass via array component types (allowIfSubTypeIsArray)

Both are fixed upstream in 2.18.8.

Note: the v1 branch has the same vulnerable pin but is out of scope here since the flagged Veracode build corresponds to v2.

Fixes #679086
Fixes #679087

alexgomezlf and others added 4 commits July 8, 2026 14:48
…54512 and CVE-2026-54513

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…tion can post check runs

Default GITHUB_TOKEN permissions are read-only, so EnricoMi/publish-unit-test-result-action
was failing with 403 Resource not accessible by integration on every PR.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…R comment

checks:write alone got the check runs created, but the action's default
comment_mode also posts/updates a PR comment, which needs pull-requests:write.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

unit-test-results

25 tests  ±0   25 ✅ ±0   0s ⏱️ ±0s
 3 suites ±0    0 💤 ±0 
 3 files   ±0    0 ❌ ±0 

Results for commit 030ca55. ± Comparison against base commit 50913c6.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

integration-test-results-cloud

77 tests  ±0   74 ✅ +1   3m 23s ⏱️ -51s
16 suites ±0    1 💤 ±0 
16 files   ±0    1 ❌  - 1   1 🔥 ±0 

For more details on these failures and errors, see this check.

Results for commit 030ca55. ± Comparison against base commit 50913c6.

♻️ This comment has been updated with latest results.

alexgomezlf and others added 3 commits July 9, 2026 18:03
…lder

Access denied errors trace back to the service principal not having access
to whatever repo DEV_CA_PUBLIC_USE_REPOSITORY_ID_2 points to (confirmed via
RepositoriesClientTest.listRepositoriesWorks: listRepositories() succeeds but
that repo ID isn't in the returned list). Trying REPOSITORY_ID_1 (used by the
dotnet/JS clients) with a hardcoded folder ID to see what actually fails now
that auth itself isn't the blocker. Not a real fix - just a diagnostic.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant