From 450a2d97aa15b337582e3640c046bc1efbe9c0e9 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Wed, 5 Oct 2022 15:36:30 -0700
Subject: [PATCH] Add CVE markers for #3582, #3590

---
 release-notes/VERSION-2.x | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index ff737f1efc..bc4fcbc679 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -63,7 +63,7 @@ Project: jackson-databind
 #3568: Change `JsonNode.with(String)` and `withArray(String)` to consider
   argument as `JsonPointer` if valid expression
 #3590: Add check in primitive value deserializers to avoid deep wrapper array
-  nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS`
+  nesting wrt `UNWRAP_SINGLE_VALUE_ARRAYS` [CVE-2022-42003]
 #3609: Allow non-boolean return type for "is-getters" with
   `MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN`
  (contributed by Richard K)
@@ -78,7 +78,7 @@ Project: jackson-databind
   immutable in 2.13
  (reported by JonasWilms@github)
 #3582: Add check in `BeanDeserializer._deserializeFromArray()` to prevent
-  use of deeply nested arrays
+  use of deeply nested arrays [CVE-2022-42004]
 
 2.13.3 (14-May-2022)