Skip to content

CVE-2026-54515 (Medium) detected in jackson-databind-2.19.1.jar #388

Description

@mend-bolt-for-github

CVE-2026-54515 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.19.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: https://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.19.1/jackson-databind-2.19.1.jar

Dependency Hierarchy:

  • flyway-core-10.10.0.jar (Root Library)
    • jackson-dataformat-toml-2.19.1.jar
      • jackson-databind-2.19.1.jar (Vulnerable Library)

Found in HEAD commit: 270465e4bf74e87253e9245ca2e1fc7ed83b0cbb

Found in base branch: master

Vulnerability Details

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @⁠JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @⁠JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.

Publish Date: 2026-06-23

URL: CVE-2026-54515

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-23

Fix Resolution: https://github.com/FasterXML/jackson-databind.git - jackson-databind-3.1.4


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions