The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: * jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis * jackson-databind: improper polymorphic deserialization of types from Jodd-db library * jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver * jackson-databind: arbitrary code execution in slf4j-ext class * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class * jackson-databind: improper polymorphic deserialization in openjpa class * jackson-databind: improper polymorphic deserialization in jboss-common-core class * jackson-databind: exfiltration/XXE in some JDK classes * jackson-databind: server-side request forgery in axis2-jaxws class For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.