CVE-2026-54514
published 2026-06-23CVE-2026-54514: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.22%
12.3th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.0.0 < 2.18.8 | 2.18.8 |
| fasterxml | jackson-databind | >= 2.19.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 InetSocketAddress server-side request forgery (GHSA-hgj6-7826-r7m5 / EUVD-2026-38592)
vuldb·2026-06-23·CVSS 5.3
CVE-2026-54514 [MEDIUM] FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 InetSocketAddress server-side request forgery (GHSA-hgj6-7826-r7m5 / EUVD-2026-38592)
A vulnerability classified as critical has been found in FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3. Affected by this vulnerability is an unknown functionality. The manipulation of the argument InetSocketAddress leads to server-side request forgery.
This vulnerability is listed as CVE-2026-54514. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
ghsa·2026-06-23
CVE-2026-54514 [MEDIUM] CWE-918 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
## Summary
`JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAddress` field issues an attacker-chosen DNS query during `readValue`, before any application-level validation or connect logic. The fix uses `InetSocketAddress.createUnresolved(host, port)`, deferring DNS to an explicit connect.
## Impact
An attacker controlling JSON deserialized into an `InetSocketAddress`-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of
Red Hat
jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
vendor_redhat·2026-06-23·CVSS 5.3
CVE-2026-54514 [MEDIUM] CWE-502 jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
A flaw was f
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54514 google-gson: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 google-gson: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 google-gson: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS quer
Bugzilla
CVE-2026-54514 byte-buddy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 byte-buddy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 byte-buddy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query
Bugzilla
CVE-2026-54514 ceph: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 ceph: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 ceph: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query durin
Bugzilla
CVE-2026-54514 jetty: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 jetty: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 jetty: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query duri
Bugzilla
CVE-2026-54514 jackson-bom: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 jackson-bom: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 jackson-bom: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS quer
Bugzilla
CVE-2026-54514 jackson-jaxrs-providers: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 jackson-jaxrs-providers: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 jackson-jaxrs-providers: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-cho
Bugzilla
CVE-2026-54514 jackson-modules-base: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 jackson-modules-base: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 jackson-modules-base: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen
Bugzilla
CVE-2026-54514 python-avro: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 python-avro: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 python-avro: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS quer
Bugzilla
CVE-2026-54514 resteasy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 resteasy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 resteasy: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query d
Bugzilla
CVE-2026-54514 dogtag-pki: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 dogtag-pki: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 dogtag-pki: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query
Bugzilla
CVE-2026-54514 log4j: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 log4j: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
CVE-2026-54514 log4j: jackson-databind: Information Disclosure via Eager DNS Resolution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query duri
Bugzilla
CVE-2026-54514 jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-54514 [MEDIUM] CVE-2026-54514 jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
CVE-2026-54514 jackson-databind: jackson-databind: Information Disclosure via Eager DNS Resolution
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4
2026-06-23
Published