CMSO Security/Vulnerability CVE-2019- 12384 jackson- databind

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. The jackson-databind package is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTy peValidator class allows untrusted Java objects, such as ch. qos.logback.core.db.DriverManagerConnectionSource, to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.