CVE-2020-11112: 
Java vulnerability analysis and mitigation

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). The vulnerability was discovered and disclosed in March 2020 and assigned identifier CVE-2020-11112 (MITRE, NVD).

The vulnerability exists in the interaction between serialization gadgets and typing functionality in jackson-databind, specifically related to the org.apache.commons.proxy.provider.remoting.RmiProvider class from the apache/commons-proxy library. The issue affects jackson-databind versions 2.x prior to 2.9.10.4, though versions from 2.10.0 onwards are not affected due to Safe Default Typing being enabled by default (Jackson Blog).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NetApp Advisory).

The primary mitigation is to upgrade jackson-databind to version 2.9.10.4 or later. For versions 2.10.0 and later, the vulnerability is mitigated by default as Safe Default Typing is enabled. If upgrading is not immediately possible, it is recommended to avoid enabling default typing and using java.lang.Object as the nominal type for polymorphic values (Jackson Blog).