CVE-2020-11111: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). The vulnerability was discovered and disclosed in March 2020 (CVE Mitre).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind, specifically affecting the org.apache.activemq.* classes. This includes activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms components. The issue is mitigated by default in versions 2.10 and later where Safe Default Typing is enabled, but remains an issue when Default Typing is explicitly enabled (Jackson Blog).

The vulnerability could potentially allow attackers to execute arbitrary code or cause denial of service when exploited in applications using affected versions of jackson-databind with specific configurations. The CVSS score of 8.8 (HIGH) indicates significant potential impact on confidentiality, integrity, and availability (Oracle CPU).

The vulnerability is fixed in jackson-databind version 2.9.10.4. Users should upgrade to this version or later. For version 2.10 and above, the vulnerability is mitigated by default due to Safe Default Typing being enabled. Organizations using affected versions should upgrade their dependencies to patched versions (Debian Security).