Skip to content

📦 Bump versions of multiple dependencies to address vulnerabilities#5

Open
softforgeinc wants to merge 2 commits intomainfrom
devtask/LINEAJE-TASK-35597
Open

📦 Bump versions of multiple dependencies to address vulnerabilities#5
softforgeinc wants to merge 2 commits intomainfrom
devtask/LINEAJE-TASK-35597

Conversation

@softforgeinc
Copy link

@softforgeinc softforgeinc commented Oct 1, 2025

Lineaje has automatically created this pull request to resolve the following CVEs:

Component CVE ID Severity Description
com.fasterxml.jackson.core:jackson-databind:2.12.3 CVE-2020-36518 High jackson-databind is a data-binding package for the Jackson
Data Processor. jackson-databind allows a Java stack overflow
exception and denial of service via a large depth of nested
objects.
com.fasterxml.jackson.core:jackson-databind:2.12.3 CVE-2022-42003 High In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in
2.13.x before 2.13.4.2 resource exhaustion can occur because
of a lack of a check in primitive value deserializers to
avoid deep wrapper array nesting, when the
UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was
patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that
introduced vulnerable code are
FasterXML/jackson-databind@d499f2e,
FasterXML/jackson-databind@0e37a39,
and
FasterXML/jackson-databind@7ba9ac5.
Fix commits are
FasterXML/jackson-databind@cd09097
and
FasterXML/jackson-databind@d78d00e.
The 2.13.4.1 release does fix this issue, however it also
references a non-existent jackson-bom which causes build
failures for gradle users. See
FasterXML/jackson-databind#3627 (comment)
for details. This is fixed in 2.13.4.2 which is listed in
the advisory metadata so that users are not subjected to
unnecessary build failures
com.fasterxml.jackson.core:jackson-databind:2.12.3 CVE-2022-42004 High In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x
before 2.13.4, resource exhaustion can occur because of a
lack of a check in BeanDeserializer._deserializeFromArray to
prevent use of deeply nested arrays. This issue can only
happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is
explicitly enabled.
com.fasterxml.jackson.core:jackson-databind:2.12.3 CVE-2021-46877 High jackson-databind 2.10.x through 2.12.x before 2.12.6 and
2.13.x before 2.13.1 allows attackers to cause a denial of
service (2 GB transient heap usage per read) in uncommon
situations involving JsonNode JDK serialization.
org.springframework:spring-core:5.3.9 CVE-2021-22096 Medium Improper Output Neutralization for Logs in Spring Framework
org.springframework:spring-core:5.3.9 CVE-2021-22060 Medium Log entry injection in Spring Framework
org.springframework:spring-core:5.3.9 CVE-2025-41249 High Spring Framework annotation detection mechanism may result in
improper authorization

You can merge this PR once the tests pass and the changes are reviewed.

Thank you for reviewing the update! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@softforgeinc

Comments