fix(deps): vuln com.fasterxml.jackson.core:jackson-databind (minor → 2.21.2) [integration/testdata] by gh-worker-campaigns-3e9aa4[bot] · Pull Request #36 · DataDog/trivy

gh-worker-campaigns-3e9aa4 · 2026-04-23T10:50:58Z

Summary: Critical-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

integration/testdata (maven)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
com.fasterxml.jackson.core:jackson-databind	2.9.1	2.21.2	minor	Direct	46 CRITICAL, 84 HIGH, 4 MODERATE

Security Details

🚨 Critical & High Severity (130 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
com.fasterxml.jackson.core:jackson-databind	CVE-2017-15095	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-645p-88qh-w398	CRITICAL	Arbitrary Code Execution in jackson-databind	2.9.1	2.9.7
com.fasterxml.jackson.core:jackson-databind	CVE-2019-17531	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-gjmw-vf9h-g25v	CRITICAL	jackson-databind polymorphic typing issue	2.9.1	2.9.10.1
com.fasterxml.jackson.core:jackson-databind	CVE-2020-9546	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-5p34-5m6p-p58g	CRITICAL	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2019-20330	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-gww7-p5w4-wrfv	CRITICAL	Deserialization of Untrusted Data in jackson-databind	2.9.1	2.6.7.4
com.fasterxml.jackson.core:jackson-databind	GHSA-qr7j-h6gg-jmgc	CRITICAL	Deserialization of Untrusted Data in jackson-databind	2.9.1	2.7.9.4
com.fasterxml.jackson.core:jackson-databind	CVE-2018-11307	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-6fpp-rgj9-8rwc	CRITICAL	Deserialization of untrusted data in FasterXML jackson-databind	2.9.1	2.9.9.2
com.fasterxml.jackson.core:jackson-databind	CVE-2019-14379	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-mx9v-gmh4-mgqw	CRITICAL	Deserialization of Untrusted Data in jackson-databind	2.9.1	2.7.9.5
com.fasterxml.jackson.core:jackson-databind	CVE-2018-19361	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2019-16943	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-fmmc-742q-jg75	CRITICAL	jackson-databind polymorphic typing issue	2.9.1	2.9.10.1
com.fasterxml.jackson.core:jackson-databind	GHSA-rfx6-vp9g-rh7v	CRITICAL	jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass	2.9.1	2.9.4
com.fasterxml.jackson.core:jackson-databind	CVE-2017-17485	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-9547	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-q93h-jc49-78gg	CRITICAL	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2018-14719	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-4gq5-ch57-c2mg	CRITICAL	Arbitrary Code Execution in jackson-databind	2.9.1	2.9.7
com.fasterxml.jackson.core:jackson-databind	CVE-2018-19362	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-c8hm-7hpq-7jhg	CRITICAL	com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data	2.9.1	2.9.8
com.fasterxml.jackson.core:jackson-databind	CVE-2018-14720	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-x2w5-5m2g-7h5m	CRITICAL	XML External Entity Reference (XXE) in jackson-databind	2.9.1	2.9.7
com.fasterxml.jackson.core:jackson-databind	CVE-2018-19360	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-f9hv-mg5h-xcw9	CRITICAL	Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization	2.9.1	2.9.8
com.fasterxml.jackson.core:jackson-databind	GHSA-p43x-xfjf-5jhr	CRITICAL	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-9548	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2019-14540	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-h822-r4r5-v8jg	CRITICAL	Polymorphic Typing issue in FasterXML jackson-databind	2.9.1	2.9.10
com.fasterxml.jackson.core:jackson-databind	GHSA-cggj-fvv3-cqwv	CRITICAL	FasterXML jackson-databind allows unauthenticated remote code execution	2.9.1	2.8.11.1
com.fasterxml.jackson.core:jackson-databind	CVE-2018-7489	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-mx7p-6679-8g3q	CRITICAL	Polymorphic Typing in FasterXML jackson-databind	2.9.1	2.9.10.1
com.fasterxml.jackson.core:jackson-databind	CVE-2019-16942	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2019-17267	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-f3j5-rmmp-3fc5	CRITICAL	Improper Input Validation in jackson-databind	2.9.1	2.9.10
com.fasterxml.jackson.core:jackson-databind	CVE-2018-14721	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-9mxf-g3x6-wv74	CRITICAL	Server-Side Request Forgery (SSRF) in jackson-databind	2.9.1	2.9.7
com.fasterxml.jackson.core:jackson-databind	GHSA-h592-38cm-4ggp	CRITICAL	jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution	2.9.1	2.8.11
com.fasterxml.jackson.core:jackson-databind	CVE-2019-16335	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-85cw-hj65-qqv9	CRITICAL	Polymorphic Typing issue in FasterXML jackson-databind	2.9.1	2.9.10
com.fasterxml.jackson.core:jackson-databind	CVE-2020-8840	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-4w82-r329-3q67	CRITICAL	Deserialization of Untrusted Data in jackson-databind	2.9.1	2.6.7.4
com.fasterxml.jackson.core:jackson-databind	CVE-2018-14718	CRITICAL	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-j823-4qch-3rgm	HIGH	Deserialization of untrusted data in Jackson Databind	2.9.1	2.9.10.5
com.fasterxml.jackson.core:jackson-databind	CVE-2020-24750	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-27xj-rqx5-2255	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2019-14893	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-qmqc-x3r4-6v39	HIGH	Polymorphic deserialization of malicious object in jackson-databind	2.9.1	2.9.10
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36518	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-wh8g-3j2c-rqj5	HIGH	Serialization gadgets exploit in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-35490	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-8c4j-34r4-xr8g	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36180	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-95cm-88f5-f2c7	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-10672	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-57j2-w4cx-62h2	HIGH	Deeply nested json in jackson-databind	2.9.1	2.13.2.1
com.fasterxml.jackson.core:jackson-databind	CVE-2018-12022	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-6wqp-v4v6-c87c	HIGH	Deserialization of Untrusted Data	2.9.1	2.7.9.4
com.fasterxml.jackson.core:jackson-databind	CVE-2018-12023	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-cf6r-3wgc-h863	HIGH	Polymorphic deserialization of malicious object in jackson-databind	2.9.1	2.6.7.3
com.fasterxml.jackson.core:jackson-databind	CVE-2019-14892	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-cjjf-94ff-43w7	HIGH	jackson-databind Deserialization of Untrusted Data vulnerability	2.9.1	2.7.9.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36188	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-f9xh-2qgp-cq57	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-14060	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-14062	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2018-5968	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-cvm9-fjm9-3572	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36181	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-w3f4-3q6j-rh82	HIGH	Deserialization of Untrusted Data in jackson-databind	2.9.1	2.8.11.1
com.fasterxml.jackson.core:jackson-databind	GHSA-c265-37vj-cwcc	HIGH	Deserialization of untrusted data in Jackson Databind	2.9.1	2.9.10.5
com.fasterxml.jackson.core:jackson-databind	CVE-2021-20190	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-5949-rw7g-wx7w	HIGH	Deserialization of untrusted data in jackson-databind	2.9.1	2.9.10.7
com.fasterxml.jackson.core:jackson-databind	CVE-2022-42003	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-jjjh-jjxp-wpff	HIGH	Uncontrolled Resource Consumption in Jackson-databind	2.9.1	2.12.7.1
com.fasterxml.jackson.core:jackson-databind	GHSA-9gph-22xh-8x98	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36179	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-r695-7vr9-jgc2	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36187	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-89qr-369f-5m5x	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36182	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-10650	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-rpr3-cw39-3pxh	HIGH	jackson-databind vulnerable to unsafe deserialization	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2019-14439	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-gwp4-hfv6-p7hw	HIGH	Deserialization of untrusted data in FasterXML jackson-databind	2.9.1	2.9.9.2
com.fasterxml.jackson.core:jackson-databind	GHSA-qjw2-hr98-qgfh	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.6.7.5
com.fasterxml.jackson.core:jackson-databind	CVE-2020-11619	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-m6x4-97wx-4q27	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36184	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-35491	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-r3gr-cxrf-hg25	HIGH	Serialization gadgets exploit in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	GHSA-5r5r-6hpj-8gg9	HIGH	Serialization gadget exploit in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-35728	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-v585-23hc-c647	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36186	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-14061	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-c2q3-4qrh-fm48	HIGH	Deserialization of untrusted data in Jackson Databind	2.9.1	2.9.10.5
com.fasterxml.jackson.core:jackson-databind	GHSA-rf6r-2c4q-2vwg	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-10968	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-11112	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-58pp-9c76-5625	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	GHSA-h4rc-386g-6m85	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-11620	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-8w26-6f25-cm9x	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36185	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-h3cw-g4mq-c5x2	HIGH	Code Injection in jackson-databind	2.9.1	2.9.10.6
com.fasterxml.jackson.core:jackson-databind	CVE-2020-24616	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2022-42004	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-rgv9-q543-rqg4	HIGH	Uncontrolled Resource Consumption in FasterXML jackson-databind	2.9.1	2.12.7.1
com.fasterxml.jackson.core:jackson-databind	GHSA-758m-v56v-grj4	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-10969	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-11111	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-v3xw-c963-f5hc	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	GHSA-fqwf-pjwf-7vqv	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2020-10673	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-mc6h-4qgp-37qh	HIGH	Deserialization of untrusted data in Jackson Databind	2.9.1	2.9.10.5
com.fasterxml.jackson.core:jackson-databind	CVE-2020-14195	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-25649	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-288c-cq4h-88gq	HIGH	XML External Entity (XXE) Injection in Jackson Databind	2.9.1	2.6.7.4
com.fasterxml.jackson.core:jackson-databind	GHSA-9m6f-7xcq-8vf8	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36183	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2020-11113	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-9vvp-fxw6-jcxr	HIGH	jackson-databind mishandles the interaction between serialization gadgets and typing	2.9.1	2.9.10.4
com.fasterxml.jackson.core:jackson-databind	CVE-2019-12086	HIGH	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-5ww9-j83m-q7qx	HIGH	Information exposure in FasterXML jackson-databind	2.9.1	2.9.9
com.fasterxml.jackson.core:jackson-databind	GHSA-vfqx-33qm-g869	HIGH	Unsafe Deserialization in jackson-databind	2.9.1	2.9.10.8
com.fasterxml.jackson.core:jackson-databind	CVE-2020-36189	HIGH	-	2.9.1	-

ℹ️ Other Vulnerabilities (4)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
com.fasterxml.jackson.core:jackson-databind	GHSA-cmfg-87vq-g5g4	MODERATE	Deserialization of untrusted data in FasterXML jackson-databind	2.9.1	2.9.9.1
com.fasterxml.jackson.core:jackson-databind	CVE-2019-12814	MODERATE	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	CVE-2019-12384	MODERATE	-	2.9.1	-
com.fasterxml.jackson.core:jackson-databind	GHSA-mph4-vhrx-mv67	MODERATE	Deserialization of Untrusted Data in FasterXML jackson-databind	2.9.1	2.9.9.1

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
com.fasterxml.jackson.core:jackson-databind	`2.9.1`	-	`2.21.2`	`integration/testdata/fixtures/repo/pom/pom.xml`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

dd-prapprover · 2026-04-23T14:04:36Z

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-04-23T14:04:35Z
⬜ CI tests passed
⬜ Approved
⬜ Merge Started
⬜ Merged

➡️ Current phase: waiting for CI tests to complete...

Executing automated changes

200256e

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-mode-all-updates adms-high-severity adms-critical-severity adms-medium-severity adms-fixes-eol adms-minor-update adms-java adms-dependency-update labels Apr 23, 2026

campaigner-prod Bot marked this pull request as ready for review April 23, 2026 14:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln com.fasterxml.jackson.core:jackson-databind (minor → 2.21.2) [integration/testdata]#36

fix(deps): vuln com.fasterxml.jackson.core:jackson-databind (minor → 2.21.2) [integration/testdata]#36
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/maven/testdata/0-1776941447

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Uh oh!

dd-prapprover Bot commented Apr 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Updates

Security Details

Review Checklist

Uh oh!

dd-prapprover Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🛠️ PRApproval Status

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dd-prapprover Bot commented Apr 23, 2026 •

edited

Loading