Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
FEDORA-2026-ddde3cf003 (fasterxml-oss-parent-75-1.fc45, jackson-annotations-2.21-6.fc45, and 6 more) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-ddde3cf003
FEDORA-2026-ddde3cf003 (fasterxml-oss-parent-75-1.fc45, jackson-annotations-2.21-6.fc45, and 6 more) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report.