CVE-2026-54515 - Medium Severity Vulnerability
Vulnerable Library - jackson-databind-2.19.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: https://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.19.1/jackson-databind-2.19.1.jar
Dependency Hierarchy:
- flyway-core-10.10.0.jar (Root Library)
- jackson-dataformat-toml-2.19.1.jar
- ❌ jackson-databind-2.19.1.jar (Vulnerable Library)
Found in HEAD commit: 270465e4bf74e87253e9245ca2e1fc7ed83b0cbb
Found in base branch: master
Vulnerability Details
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Publish Date: 2026-06-23
URL: CVE-2026-54515
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-23
Fix Resolution: https://github.com/FasterXML/jackson-databind.git - jackson-databind-3.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-54515 - Medium Severity Vulnerability
General data-binding functionality for Jackson: works on core streaming API
Library home page: https://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.19.1/jackson-databind-2.19.1.jar
Dependency Hierarchy:
Found in HEAD commit: 270465e4bf74e87253e9245ca2e1fc7ed83b0cbb
Found in base branch: master
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Publish Date: 2026-06-23
URL: CVE-2026-54515
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-23
Fix Resolution: https://github.com/FasterXML/jackson-databind.git - jackson-databind-3.1.4
Step up your Open Source Security Game with Mend here