CVE-2019-14892: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2019-14892) was discovered in jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3. The vulnerability allows polymorphic deserialization of malicious objects using commons-configuration 1 and 2 JNDI classes, potentially enabling arbitrary code execution (NVD, Red Hat Bugzilla).

The vulnerability is related to unsafe deserialization in jackson-databind, specifically involving serialization gadgets in the commons-configuration packages. It received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 7.5 (High) from Red Hat, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-502 (Deserialization of Untrusted Data) (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Most critically, an attacker could potentially execute arbitrary code on the affected systems (NetApp Advisory, NVD).

The vulnerability was fixed in jackson-databind versions 2.9.10, 2.8.11.5, and 2.6.7.3. Organizations are advised to upgrade to these or later versions. For systems that cannot be immediately updated, it's important to note that the vulnerability requires polymorphic unmarshalling to be enabled to be exploitable (Red Hat Bugzilla, GitHub Issue).