Incomplete Blacklist The advisory has been revoked - it doesn't affect any version of package pki-resteasy  (opens in a new tab)


Threat Intelligence

EPSS
0.7% (49th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS9-PKIRESTEASY-17809068
  • published3 Jul 2026
  • disclosed23 Jun 2026

Introduced: 23 Jun 2026

NewCVE-2026-54513  (opens in a new tab)
CWE-184  (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:9.

NVD Description

Note: Versions mentioned in the description apply only to the upstream pki-resteasy package and not the pki-resteasy package as distributed by Centos.

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.