FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.debian.org/security/2019/dsa-4542
https://security.netapp.com/advisory/ntap-20190703-0002/
https://seclists.org/bugtraq/2019/Oct/6
https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad
https://doyensec.com/research.html
https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
https://access.redhat.com/errata/RHSA-2019:4352
https://access.redhat.com/errata/RHSA-2019:3901
https://access.redhat.com/errata/RHSA-2019:3297
https://access.redhat.com/errata/RHSA-2019:3292
https://access.redhat.com/errata/RHSA-2019:3200
https://access.redhat.com/errata/RHSA-2019:3149
https://access.redhat.com/errata/RHSA-2019:2998
https://access.redhat.com/errata/RHSA-2019:2938
https://access.redhat.com/errata/RHSA-2019:2937
https://access.redhat.com/errata/RHSA-2019:2936
https://access.redhat.com/errata/RHSA-2019:2935
https://access.redhat.com/errata/RHSA-2019:2858