Skip to content

Jackson Release 2.13.5

Jump to bottom
Tatu Saloranta edited this page Nov 2, 2022 · 7 revisions

Possible patch version of 2.13, not yet released.

Following fixes would be included in this patch release.

Changes, core

Databind

  • #3590: Add check in primitive value deserializers to avoid deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [CVE-2022-42003]

Changes, data formats

XML

  • Upgrade Woodstox to 6.4.0 for a fix to [CVE-2022-40152]

Changes, other

Jackson-jr

  • #98: module-info.java of jr-stree refers to module com.fasterxml.jackson.jr.ob.api, which is not defined
Clone this wiki locally