diff --git a/0004-CVE-2022-42004.patch b/0004-CVE-2022-42004.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d32918bb283432045ce75c12e68b4dd4d7aae1db
--- /dev/null
+++ b/0004-CVE-2022-42004.patch
@@ -0,0 +1,36 @@
+diff --git a/core/src/main/scala/kafka/admin/ConsumerGroupCommand.scala b/core/src/main/scala/kafka/admin/ConsumerGroupCommand.scala
+index 2fc55bd7b6..e4611256d4 100755
+--- a/core/src/main/scala/kafka/admin/ConsumerGroupCommand.scala
++++ b/core/src/main/scala/kafka/admin/ConsumerGroupCommand.scala
+@@ -21,7 +21,6 @@ import java.time.{Duration, Instant}
+ import java.util.Properties
+ import com.fasterxml.jackson.dataformat.csv.CsvMapper
+ import com.fasterxml.jackson.module.scala.DefaultScalaModule
+-import com.fasterxml.jackson.module.scala.experimental.ScalaObjectMapper
+ import kafka.utils._
+ import kafka.utils.Implicits._
+ import org.apache.kafka.clients.admin._
+@@ -146,7 +145,7 @@ object ConsumerGroupCommand extends Logging {
+   }
+   // Example: CsvUtils().readerFor[CsvRecordWithoutGroup]
+   private[admin] case class CsvUtils() {
+-    val mapper = new CsvMapper with ScalaObjectMapper
++    val mapper = new CsvMapper
+     mapper.registerModule(DefaultScalaModule)
+     def readerFor[T <: CsvRecord : ClassTag] = {
+       val schema = getSchema[T]
+diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
+index 8dcf7af2f2..ea0c1af419 100644
+--- a/gradle/dependencies.gradle
++++ b/gradle/dependencies.gradle
+@@ -66,8 +66,8 @@ versions += [
+   grgit: "4.1.1",
+   httpclient: "4.5.13",
+   easymock: "4.2",
+-  jackson: "2.10.5",
+-  jacksonDatabind: "2.10.5.1",
++  jackson: "2.13.4",
++  jacksonDatabind: "2.13.4.2",
+   jacoco: "0.8.5",
+   javassist: "3.27.0-GA",
+   jetty: "9.4.48.v20220622",
diff --git a/kafka.spec b/kafka.spec
index eff35e72872de9cf02de2bdaeaa729fcd332b75a..71fc6d0a43c79347bfa1eda13970af9fc1c77c96 100644
--- a/kafka.spec
+++ b/kafka.spec
@@ -4,7 +4,7 @@
 
 Name: kafka
 Version: 2.8.2
-Release: 3
+Release: 4
 Summary: A Distributed Streaming Platform.
 
 License: Apache-2.0
@@ -15,6 +15,7 @@ Source3: gradle-wrapper.jar
 Patch0: 0001-adopt-huaweimaven.patch
 Patch1: 0002-CVE-2022-41881.patch
 Patch2: 0003-CVE-2023-34455.patch
+Patch3: 0004-CVE-2022-42004.patch
 
 BuildRequires: systemd java-1.8.0-openjdk-devel
 Provides: kafka = %{version}
@@ -66,8 +67,11 @@ cp -pr licenses/*   $RPM_BUILD_ROOT%{kafka_home}/licenses
 rm -rf %{buildroot}
 
 %changelog
+* Thu Sep 21 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-4
+-fix CVE-2022-42004
+
 * Fri Sep 1 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-3
-- fix CVE-2023-34455.patch
+- fix CVE-2023-34455
 
 * Wed Aug 30 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-2
 - fix CVE-2022-41881