CGA-hxjg-5c87-jw3q

The jackson-core vulnerability exists in bundled/shaded JARs within the Hadoop distribution that cannot be updated through Maven dependency management alone. The vulnerability is present in hadoop-client-runtime-3.3.6.jar which bundles jackson-core 2.13.0. Additionally, jackson-core cannot be upgraded to the fix version (2.15.0+) as it would not support Java 8, which Hadoop 3.3.6 still requires. This requires an upstream Hadoop release with updated bundled dependencies that maintains Java 8 compatibility.