A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
bugzilla.redhat.com/show_bug.cgi?id=1916633
github.com/FasterXML/jackson-databind
github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
github.com/FasterXML/jackson-databind/issues/2854
lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
lists.debian.org/debian-lts-announce/2021/04/msg00025.html
nvd.nist.gov/vuln/detail/CVE-2021-20190
security.netapp.com/advisory/ntap-20210219-0008
www.oracle.com//security-alerts/cpujul2021.html