From 1f46141b4927da4000fba152552b203a499b2843 Mon Sep 17 00:00:00 2001 From: Marty Pradere Date: Tue, 30 Jun 2026 10:39:29 -0600 Subject: [PATCH] Address OWASP dependency-check CVEs in Jackson and Kotlin Bump the Jackson 2.x version properties (jacksonVersion, jacksonDatabindVersion, jacksonJaxrsBaseVersion) from 2.21.0 to 2.21.4 and jackson3Version from 3.1.0 to 3.1.4 to pick up the fixes for CVE-2026-54512 through CVE-2026-54518 (PolymorphicTypeValidator bypass and view-authorization issues). The 2.x databind/core are force-pinned via these properties and the 3.x databind flows into the embedded module's strictly constraints, as confirmed with dependencyInsight. Suppress CVE-2026-53914 for the transitive Kotlin jars. That CVE is in the Kotlin compiler's build-cache deserialization; LabKey has no Kotlin source and applies no Kotlin Gradle plugin, so nothing here compiles Kotlin or uses the Kotlin build cache. The kotlin-stdlib/kotlin-reflect jars are only transitive runtime dependencies of OkHttp (via the Duo SDK in mfa, and TCRdb), so the vulnerability is not applicable. --- dependencyCheckSuppression.xml | 12 ++++++++++++ gradle.properties | 8 ++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 4a7c257d00..0fe1a5999d 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -316,4 +316,16 @@ CVE-2025-15104 + + + + ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ + CVE-2026-53914 + + diff --git a/gradle.properties b/gradle.properties index 21f365151f..60f1759e85 100644 --- a/gradle.properties +++ b/gradle.properties @@ -195,15 +195,15 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.0 -jacksonDatabindVersion=2.21.0 -jacksonJaxrsBaseVersion=2.21.0 +jacksonVersion=2.21.4 +jacksonDatabindVersion=2.21.4 +jacksonJaxrsBaseVersion=2.21.4 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 # Spring Boot brings in a transitive dependency on Jackson 3.x. It has changed package names and can coexist with Jackson 2.x. -jackson3Version=3.1.0 +jackson3Version=3.1.4 # The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above). jakartaActivationApiVersion=2.1.4