CGA-xgp8-j8p4-9g84

The jackson-core vulnerability exists in bundled/shaded JARs within the Hadoop distribution that cannot be updated through Maven dependency management alone. The vulnerability is present in multiple locations including cos_api-bundle-5.6.19.jar and hadoop-client-runtime-3.3.6.jar. Additionally, jackson-core cannot be upgraded to the fix version (2.15.0+) as it would not support Java 8, which Hadoop 3.3.6 still requires. This requires an upstream Hadoop release with updated bundled dependencies that maintains Java 8 compatibility.