There are two potential remote code execution (RCE) vulnerabilities in jackson-databind before 2.9.6. Note, this version (2.9.6) ships bundled with pycharm-community-2018.3.3
CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
Gentoo Security Padawan
Package removed from the Portage tree.