A deserialization flaw in jackson-databind was found allowing code execution when given maliocusly crafted input to readValue method of ObjectMapper. ~ eleix (Security Padawan)
Fixed in version(s) >=2.8.10, 2.9.1 https://github.com/FasterXML/jackson-databind/issues/1847
Superseded by: bug 648952