Add CVE markers for #3582, #3590

FasterXML · Oct 5, 2022 · 450a2d9 · 450a2d9
1 parent 21e2002
commit 450a2d9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -63,7 +63,7 @@ Project: jackson-databind
 #3568: Change `JsonNode.with(String)` and `withArray(String)` to consider
   argument as `JsonPointer` if valid expression
 #3590: Add check in primitive value deserializers to avoid deep wrapper array
-  nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS`
+  nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003]
 #3609: Allow non-boolean return type for "is-getters" with
   `MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN`
  (contributed by Richard K)
@@ -78,7 +78,7 @@ Project: jackson-databind
   immutable in 2.13
  (reported by JonasWilms@github)
 #3582: Add check in `BeanDeserializer._deserializeFromArray()` to prevent
-  use of deeply nested arrays
+  use of deeply nested arrays [CVE-2022-42004]
 
 2.13.3 (14-May-2022)