CVE-2020-10969: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. The vulnerability was disclosed on March 26, 2020 (CVE Mitre).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind, specifically related to the javax.swing.JEditorPane class. This issue affects jackson-databind versions 2.x prior to 2.9.10.4. The vulnerability has a CVSS v3.1 score of 8.8 (HIGH) indicating significant severity (NetApp Advisory).

If successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability was fixed in jackson-databind version 2.9.10.4. Users should upgrade to this version or later. For versions 2.10.0 and later, the vulnerability is mitigated by default due to Safe Default Typing being enabled. Organizations using affected versions should upgrade to patched versions: 2.9.10.4, 2.8.11.6 (jackson-bom version 2.8.11.20200310), or 2.7.9.7 (GitHub Issue).

The vulnerability was reported by security researcher threedr3am. A detailed blog post by the jackson-databind maintainer (@cowtowncoder) explains the vulnerability context and advises users not to panic, providing guidance on proper mitigation steps (Medium Blog).