From 111fd2d1d5a33d04a76de8a916be6131668d0324 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 12:35:02 +0000 Subject: [PATCH] fix(security): upgrade jackson-databind to 2.13.5 to remediate CVE-2022-42003 Override jackson-bom.version managed by Spring Boot from 2.13.1 to 2.13.5 to fix CVE-2022-42003 (polymorphic deserialization vulnerability in jackson-databind). The Spring Boot 2.6.3 BOM pulls jackson-databind 2.13.1 which is vulnerable; 2.13.5 contains the fix. All 68 existing tests continue to pass. --- build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.gradle b/build.gradle index 03c56f755..b389336d2 100644 --- a/build.gradle +++ b/build.gradle @@ -11,6 +11,8 @@ version = '0.0.1-SNAPSHOT' sourceCompatibility = '11' targetCompatibility = '11' +ext['jackson-bom.version'] = '2.13.5' + spotless { java { target project.fileTree(project.rootDir) {