FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
The following conditions are needed for an exploit, we recommend avoiding all if possible:
enableDefaultTyping()
@JsonTypeInfo using
id.CLASSor
id.MINIMAL_CLASS`