Skip to content

VULN UPGRADE: minor upgrades — 8 packages (minor: 4 · patch: 4) [utils/build] #5960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
campaigner-prod wants to merge 1 commit into
base: main
Choose a base branch
from
Open

VULN UPGRADE: minor upgrades — 8 packages (minor: 4 · patch: 4) [utils/build] #5960

campaigner-prod wants to merge 1 commit into from

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Jan 8, 2026

Summary: Critical-severity security update — 16 packages upgraded (MINOR changes included)

Manifests changed:

  • utils/build (maven)

Updates

Package From To Type Vulnerabilities Fixed
org.postgresql:postgresql 42.6.0 42.6.2 patch 1 CRITICAL
org.postgresql:postgresql 42.6.0 42.6.2 patch 1 CRITICAL
org.scala-lang:scala-library 2.13.8 2.13.18 patch 1 CRITICAL
com.fasterxml.jackson.core:jackson-databind 2.10.3 2.20.1 minor 5 HIGH
com.fasterxml.jackson.core:jackson-databind 2.12.3 2.20.1 minor 4 HIGH
axios 1.5.1 1.13.2 minor 3 HIGH, 1 MODERATE
axios 1.2.3 1.13.2 minor 2 HIGH, 1 MODERATE
axios 1.2.3 1.13.2 minor 2 HIGH, 1 MODERATE
axios 1.2.3 1.13.2 minor 2 HIGH, 1 MODERATE
ch.qos.logback:logback-classic 1.2.11 1.5.24 minor 1 HIGH
com.mysql:mysql-connector-j 8.0.33 8.4.0 minor 1 HIGH
com.mysql:mysql-connector-j 8.0.33 8.4.0 minor 1 HIGH
body-parser 1.20.1 1.20.4 patch 1 HIGH
body-parser 1.20.1 1.20.4 patch 1 HIGH
com.google.protobuf:protobuf-java 3.25.3 3.25.8 patch 1 HIGH
com.google.protobuf:protobuf-java 3.25.3 3.25.8 patch 1 HIGH

Security Details

🚨 Critical & High Severity (28 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
org.postgresql:postgresql GHSA-24rp-q3w6-vc56 CRITICAL org.postgresql:postgresql vulnerable to SQL Injection via line comment generation 42.6.0 42.2.28
org.postgresql:postgresql GHSA-24rp-q3w6-vc56 CRITICAL org.postgresql:postgresql vulnerable to SQL Injection via line comment generation 42.6.0 42.2.28
org.scala-lang:scala-library GHSA-8qv5-68g4-248j CRITICAL Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization 2.13.8 2.13.9
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.2.3 1.12.0
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.2.3 1.8.2
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.2.3 1.12.0
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.2.3 1.8.2
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.2.3 1.12.0
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.2.3 1.8.2
axios GHSA-8hc4-vh64-cxmj HIGH Server-Side Request Forgery in axios 1.5.1 1.7.4
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.5.1 1.12.0
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.5.1 1.8.2
body-parser GHSA-qwcr-r2fm-qrc7 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.1 1.20.3
body-parser GHSA-qwcr-r2fm-qrc7 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.1 1.20.3
ch.qos.logback:logback-classic GHSA-vmq6-5m68-f53m HIGH logback serialization vulnerability 1.2.11 1.3.12
com.fasterxml.jackson.core:jackson-databind GHSA-rgv9-q543-rqg4 HIGH Uncontrolled Resource Consumption in FasterXML jackson-databind 2.12.3 2.12.7.1
com.fasterxml.jackson.core:jackson-databind GHSA-3x8x-79m2-3w2w HIGH jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode 2.12.3 2.12.6
com.fasterxml.jackson.core:jackson-databind GHSA-jjjh-jjxp-wpff HIGH Uncontrolled Resource Consumption in Jackson-databind 2.12.3 2.12.7.1
com.fasterxml.jackson.core:jackson-databind GHSA-57j2-w4cx-62h2 HIGH Deeply nested json in jackson-databind 2.12.3 2.13.2.1
com.fasterxml.jackson.core:jackson-databind GHSA-57j2-w4cx-62h2 HIGH Deeply nested json in jackson-databind 2.10.3 2.13.2.1
com.fasterxml.jackson.core:jackson-databind GHSA-rgv9-q543-rqg4 HIGH Uncontrolled Resource Consumption in FasterXML jackson-databind 2.10.3 2.12.7.1
com.fasterxml.jackson.core:jackson-databind GHSA-288c-cq4h-88gq HIGH XML External Entity (XXE) Injection in Jackson Databind 2.10.3 2.6.7.4
com.fasterxml.jackson.core:jackson-databind GHSA-3x8x-79m2-3w2w HIGH jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode 2.10.3 2.12.6
com.fasterxml.jackson.core:jackson-databind GHSA-jjjh-jjxp-wpff HIGH Uncontrolled Resource Consumption in Jackson-databind 2.10.3 2.12.7.1
com.google.protobuf:protobuf-java GHSA-735f-pc8j-v9w8 HIGH protobuf-java has potential Denial of Service issue 3.25.3 3.25.5
com.google.protobuf:protobuf-java GHSA-735f-pc8j-v9w8 HIGH protobuf-java has potential Denial of Service issue 3.25.3 3.25.5
com.mysql:mysql-connector-j GHSA-m6vm-37g8-gqvh HIGH MySQL Connectors takeover vulnerability 8.0.33 8.2.0
com.mysql:mysql-connector-j GHSA-m6vm-37g8-gqvh HIGH MySQL Connectors takeover vulnerability 8.0.33 8.2.0
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
axios GHSA-wf5p-g6vw-rhxx MODERATE Axios Cross-Site Request Forgery Vulnerability 1.2.3 1.6.0
axios GHSA-wf5p-g6vw-rhxx MODERATE Axios Cross-Site Request Forgery Vulnerability 1.2.3 1.6.0
axios GHSA-wf5p-g6vw-rhxx MODERATE Axios Cross-Site Request Forgery Vulnerability 1.2.3 1.6.0
axios GHSA-wf5p-g6vw-rhxx MODERATE Axios Cross-Site Request Forgery Vulnerability 1.5.1 1.6.0
⚠️ Dependencies that have Reached EOL (4)
Dependency Unsafe Version EOL Date New Version Path
ch.qos.logback:logback-classic 1.2.11 - 1.5.24 utils/build/docker/java/akka-http/pom.xml
com.fasterxml.jackson.core:jackson-databind 2.12.3 - 2.20.1 utils/build/docker/java/jersey-grizzly2/pom.xml
com.fasterxml.jackson.core:jackson-databind 2.10.3 - 2.20.1 utils/build/docker/java/ratpack/pom.xml
org.scala-lang:scala-library 2.13.8 Jun 7, 2024 2.13.18 utils/build/docker/java/play/pom.xml

Review Checklist

Enhanced review recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot requested review from a team as code owners January 8, 2026 03:08
@campaigner-prod campaigner-prod bot requested review from amarziali, daniel-romano-DD, manuel-alvarez-alvarez and mx-psi and removed request for a team January 8, 2026 03:08
@github-actions
Copy link
Contributor

github-actions bot commented Jan 8, 2026

CODEOWNERS have been resolved as:

utils/build/docker/java/akka-http/pom.xml                               @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
utils/build/docker/java/jersey-grizzly2/pom.xml                         @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
utils/build/docker/java/play/pom.xml                                    @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
utils/build/docker/java/ratpack/pom.xml                                 @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
utils/build/docker/java/spring-boot/pom.xml                             @DataDog/apm-java @DataDog/asm-java @DataDog/system-tests-core
utils/build/docker/java_otel/spring-boot/pom.xml                        @DataDog/opentelemetry @DataDog/system-tests-core

@cbeauchesne cbeauchesne closed this Jan 9, 2026
@cbeauchesne cbeauchesne reopened this Jan 9, 2026
@cbeauchesne
Copy link
Collaborator

cbeauchesne commented Jan 9, 2026

@amarziali , @mx-psi , the CI is failing, do you have the time/knowledge to take a look ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mx-psi mx-psi mx-psi approved these changes

@amarziali amarziali amarziali approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-high-severity adms-java adms-medium-severity adms-minor-update adms-mode-critical-high-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cbeauchesne @mx-psi @amarziali