From 24ea30d1879c20d16a2314834a31378cff1b6a76 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Thu, 25 Jun 2026 11:41:19 +1000
Subject: [PATCH 1/2] UID2-7364: Revert jackson-databind to 2.14.2 to fix
 downstream breakage

The 2.19.0 upgrade broke other services consuming this shared jar.
CVE-2026-54512 / CVE-2026-54513 remain suppressed via .trivyignore
(added in prior commit) until an upstream patch is released.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pom.xml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/pom.xml b/pom.xml
index 813251d4..26042f06 100644
--- a/pom.xml
+++ b/pom.xml
@@ -206,15 +206,10 @@
             <artifactId>cbor</artifactId>
             <version>0.9</version>
         </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-core</artifactId>
-            <version>2.19.0</version>
-        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.19.0</version>
+            <version>2.14.2</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>

From 5251b24bf6103f75c3b6dd9ce38ec93caa921e03 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Thu, 25 Jun 2026 11:54:46 +1000
Subject: [PATCH 2/2] UID2-7364: Clarify .trivyignore rationale for
 CVE-2026-54512/54513
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CVEs require polymorphic typing to be explicitly enabled — uid2-shared
uses only standard ObjectMapper with no polymorphic deserialization config,
so these are not exploitable regardless of the upstream fix status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.trivyignore b/.trivyignore
index 034ca026..c8f56aed 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -6,7 +6,9 @@
 # See: UID2-6670
 GHSA-72hv-8253-57qq exp:2026-09-01
 
-# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
+# jackson-databind polymorphic deserialization bypass - not exploitable, uid2-shared does not enable polymorphic
+# typing (no @JsonTypeInfo, enableDefaultTyping, or PolymorphicTypeValidator usage). No upstream fix released yet
+# (fix targets: 2.18.8, 2.21.4, 3.1.4; latest available: 2.18.4).
 # See: UID2-7364
 CVE-2026-54512 exp:2026-07-25
 CVE-2026-54513 exp:2026-07-25