Skip to content

fix(deps): update all minor dependencies (main)#332

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-all-minor-patch
Open

fix(deps): update all minor dependencies (main)#332
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.sonatype.central:central-publishing-maven-plugin (source) 0.10.00.11.0 age confidence
org.apache.maven.plugins:maven-surefire-plugin (source) 3.5.53.5.6 age confidence
org.junit.jupiter:junit-jupiter (source) 5.14.35.14.4 age confidence
org.apache.logging.log4j:log4j-slf4j2-impl (source) 2.25.42.26.1 age confidence
org.slf4j:slf4j-api (source, changelog) 2.0.172.0.18 age confidence
org.projectlombok:lombok (source) 1.18.441.18.46 age confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.21.22.21.4 age confidence

jackson-databind has a @​JsonView bypass for unwrapped creator parameters

CVE-2026-54518 / GHSA-rcqc-6cw3-h962

More information

Details

Summary

UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.

Impact

View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.

Affected / Patched (verified via git tag --contains)
  • 2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 721fa07, #​5973)
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#​5971, d633bc0)
Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind's renamed @​JsonIgnore'd setters can deserialize via private fields

CVE-2026-54516 / GHSA-9fxm-vc8v-hj55

More information

Details

Summary

POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter.

Impact

POJOs combining a renamed getter with an ignored setter (a read-only-over-the-wire pattern) have that field silently set from attacker input (property tampering / mass assignment). Not a general gadget; no RCE.

Affected / Patched (verified via git tag --contains)
  • 2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport c3d56dd, #​5968)
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#​5967, e88cb17)
Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-915.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind has @​JsonView bypass for setterless creator properties

CVE-2026-54517 / GHSA-5hh8-q8hv-fr38

More information

Details

Summary

In BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it.

Impact

View-restricted (e.g. admin-only) setterless collection/map properties can be written from untrusted JSON despite @JsonView gating — an access-control / mass-assignment bypass. No RCE or DoS.

Affected / Patched (verified via git tag --contains)
  • 2.21 line: >= 2.21.0, < 2.21.4 -> fixed in 2.21.4 (backport 94c5d21, #​5970)
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4 (#​5969, 5bf23ed)
Severity / CWE

Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-1220.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

CVE-2026-54512 / GHSA-j3rv-43j4-c7qm

More information

Details

jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV.

If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.

An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.

This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.

Impact
  • Bypass of the PTV allow-list, including the recommended BasicPolymorphicTypeValidator configured with name-prefix allow rules.
  • Arbitrary class instantiation of any type assignable to the container's element/parameter position, with attacker-controlled property values (setter/field injection).
  • Potential unauthenticated remote code execution when a class with exploitable side effects (JNDI lookup, JDBC/connection-pool gadgets,TemplatesImpl-style loaders, etc.) is present on the classpath.

Applications that accept untrusted JSON and rely on a configured PTV — the documented, security-conscious configuration — are affected.

Proof of Concept

Configuration restricting polymorphic deserialization to a single safe container:

BasicPolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
        .allowIfSubType("java.util.ArrayList")
        .build();

ObjectMapper mapper = JsonMapper.builder()
        .polymorphicTypeValidator(ptv)
        .build();

Malicious payload (Wrapper.value is Object with @JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)):

{"value":["java.util.ArrayList<com.evil.EvilGadget>",[{"cmd":"calc.exe"}]]}

On vulnerable versions, com.evil.EvilGadget is instantiated and its cmd property is set, despite only java.util.ArrayList being allow-listed. On 2.18.8 / 2.21.4 / 3.1.4 the deserialization throws InvalidTypeIdException before instantiation.

Variant payloads (all bypass an ArrayList/HashMap allow-list):

Type ID Smuggled type position
java.util.ArrayList<Evil> list element
java.util.HashMap<Evil,String> map key
java.util.HashMap<String,Evil> map value
java.util.ArrayList<java.util.ArrayList<Evil>> nested element
java.util.ArrayList<Evil[]> array element

Patches

Fixed in 2.18.8, 2.21.4 and 3.1.4 via the changes for FasterXML/jackson-databind#5988, commit 434d6c511. The fix adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions for Object (wildcard resolution) and Enum types.

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

CVE-2026-54513 / GHSA-rmj7-2vxq-3g9f

More information

Details

Summary

BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.

Impact

Applications using BasicPolymorphicTypeValidator with allowIfSubTypeIsArray() as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.

Affected / Patched (verified via git tag --contains)
  • 2.18 line: >= 2.10.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity / CWE

Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.

Upstream fix

FasterXML/jackson-databind#5981; fix PR #​5983 (24529da), 2.18 backport PR #​5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

CVE-2026-54514 / GHSA-hgj6-7826-r7m5

More information

Details

Summary

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

Impact

An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

Affected / Patched (verified via git tag --contains on 1f5a103)
  • 2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4
Severity / CWE

Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

Upstream fix

FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

projectlombok/lombok (org.projectlombok:lombok)

v1.18.46

Compare Source


Configuration

📅 Schedule: (in timezone Europe/Paris)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 24, 2026
@renovate renovate Bot changed the title fix(deps): update dependency org.projectlombok:lombok to v1.18.46 (main) fix(deps): update all minor dependencies (main) Apr 26, 2026
@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch 2 times, most recently from 76eb86c to 5baeea2 Compare April 28, 2026 22:15
@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch 2 times, most recently from a59d941 to 7091b1a Compare May 12, 2026 20:42
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch from 7091b1a to 59acb33 Compare May 27, 2026 22:04
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch 2 times, most recently from 3bff018 to 9406acf Compare June 1, 2026 03:37
@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch from 9406acf to 9da31df Compare June 16, 2026 17:48
@sonarqubecloud

Copy link
Copy Markdown

@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch from 9da31df to d864d77 Compare June 30, 2026 07:13
@renovate renovate Bot added the security label Jun 30, 2026
@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch 2 times, most recently from 5849018 to c26da63 Compare July 1, 2026 00:42
@renovate renovate Bot force-pushed the renovate/main-all-minor-patch branch from c26da63 to c6fef82 Compare July 2, 2026 15:33
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants