CVE-2020-10672: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). The vulnerability was discovered in March 2020 and assigned identifier CVE-2020-10672 (NVD).

The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It affects the interaction between serialization gadgets and typing in jackson-databind versions prior to 2.9.10.4. The issue specifically relates to the org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory class (NVD, Jackson Issue).

A successful exploitation of this vulnerability could lead to remote command execution with high impacts on confidentiality, integrity and availability of the affected system (NVD, NetApp Advisory).

The recommended mitigation is to upgrade jackson-databind to version 2.9.10.4 or later. The fix blocks the problematic gadget type related to aries.transaction.jms (Jackson Issue, Debian Advisory).

The vulnerability was reported by multiple researchers including Srikanth Ramu and threedr3am's follower. The jackson-databind maintainers responded quickly by releasing a patch in version 2.9.10.4. The issue received attention from major vendors like Oracle, NetApp and Debian who released their own security advisories (Jackson Issue).