Skip to content

fix(security): bump jackson-databind 2.18.6 → 2.18.8 (CVE-2026-54512/54513/54514)#12

Closed
adnank-stack wants to merge 2 commits into
LambdaTest:lt-reportsfrom
adnank-stack:fix/jackson-databind-2.18.9-cve
Closed

fix(security): bump jackson-databind 2.18.6 → 2.18.8 (CVE-2026-54512/54513/54514)#12
adnank-stack wants to merge 2 commits into
LambdaTest:lt-reportsfrom
adnank-stack:fix/jackson-databind-2.18.9-cve

Conversation

@adnank-stack

@adnank-stack adnank-stack commented Jun 25, 2026

Copy link
Copy Markdown

Summary

Bumps the pinned Jackson version in karate-core/pom.xml dependencyManagement from 2.18.6 → 2.18.8 (jackson-core, jackson-databind, jackson-annotations).

This clears 3 of the 4 jackson-databind CVEs flagged by the Prisma Cloud image scan in the downstream hyperexecute-postprocessing-service (its shaded karate-*.jar bundles jackson-databind):

CVE Severity Score Patched in (2.x) Status
CVE-2026-54512 high 8.1 2.18.8 ✅ fixed
CVE-2026-54513 high 8.1 2.18.8 ✅ fixed
CVE-2026-54514 medium 5.3 2.18.8 ✅ fixed
CVE-2026-54515 medium 5.3 2.18.9 / 2.21.5 ⏳ not yet released

Note on CVE-2026-54515: per the GitHub advisory, the only patched versions are 2.18.9, 2.21.5 (neither published to Maven Central yet) and 3.1.4 (Jackson 3.x — different tools.jackson groupId, not a drop-in for Karate's 2.x usage). Staying on the 2.18.x line, 2.18.8 is the highest released patch. This one CVE will need a follow-up bump to 2.18.9 once it ships.

I initially proposed 2.18.9 but corrected to 2.18.8 since 2.18.9 is not yet on Maven Central (the build fails to resolve it).

Context

The post-processing service consumes the shaded fat jar built from this branch (lt-reports, karate.version 1.5.3). Its CI vulnerability scan fails on the above CVEs because the bundled jackson-databind is 2.18.6.

Testing

Version-only bump within the same minor line; no source changes. Locally built the -P fatjar artifact from this branch to confirm it resolves and packages.

@adnank-stack adnank-stack changed the title fix(security): bump jackson-databind 2.18.6 → 2.18.9 (CVE-2026-54512/13/14/15) fix(security): bump jackson-databind 2.18.6 → 2.18.8 (CVE-2026-54512/54513/54514) Jun 25, 2026
@saurabh-prakash

Copy link
Copy Markdown
Collaborator

Closing in favour of #16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants