Skip to content

GEODE-10575: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)#8002

Merged
JinwooHwang merged 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10575
Apr 9, 2026
Merged

GEODE-10575: Remediation of security vulnerability (GHSA-2m67-wjpj-xhg9)#8002
JinwooHwang merged 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10575

Conversation

@JinwooHwang
Copy link
Copy Markdown
Contributor

@JinwooHwang JinwooHwang commented Apr 9, 2026

Summary

Upgrade Jackson libraries from 2.18.6 to 2.21.2 to address a high-severity security vulnerability in jackson-core.

  • jackson-core, jackson-databind, jackson-dataformat-yaml, jackson-datatype-joda, jackson-datatype-jsr310: 2.18.6 → 2.21.2
  • jackson-annotations: 2.18.6 → 2.21 (aligned with upstream release versioning)

Security Vulnerability

Field Details
Snyk ID SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551
Type Allocation of Resources Without Limits or Throttling (CWE-770)
Severity 8.7 HIGH (CVSS v4.0)
Affected Package com.fasterxml.jackson.core:jackson-core
Affected Versions [2.8.0, 2.21.2)
Fixed Version 2.21.2
Disclosed 4 Apr 2026
Published 5 Apr 2026

Description

Affected versions of jackson-core are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.

References

Changes

File Description
DependencyConstraints.groovy Updated jackson.version and jackson.databind.version to 2.21.2; added separate jackson.annotations.version set to 2.21
assembly_content.txt Updated Jackson jar filenames to new versions
gfsh_dependency_classpath.txt Updated Jackson jar filenames to new versions
dependency_classpath.txt Updated Jackson jar filenames to new versions
expected-pom.xml Updated Jackson dependency versions in BOM

Testing

  • build — compiles successfully
  • test — unit tests pass

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang JinwooHwang requested a review from marinov-code April 9, 2026 19:41
@JinwooHwang
Copy link
Copy Markdown
Contributor Author

JinwooHwang commented Apr 9, 2026

Thank you so much @marinov-code

@JinwooHwang JinwooHwang merged commit e6cd1d8 into apache:develop Apr 9, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marinov-code marinov-code marinov-code approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JinwooHwang @marinov-code