CVE-2020-8840: 
Java vulnerability analysis and mitigation

CVE-2020-8840 affects FasterXML jackson-databind versions 2.0.0 through 2.9.10.2. The vulnerability was discovered and disclosed on February 10, 2020. The issue involves insufficient xbean-reflect/JNDI blocking, which can be demonstrated through org.apache.xbean.propertyeditor.JndiConverter (NVD, GitHub Issue).

The vulnerability is related to deserialization of untrusted data without proper validation in the jackson-databind library, which is used to parse JSON and other data formats. The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Huawei Advisory).

Successful exploitation of this vulnerability could allow a malicious client to perform remote code execution on a service with the required characteristics. The vulnerability can lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been fixed in jackson-databind versions 2.9.10.3 (jackson-bom version 2.9.10.20200223), 2.8.11.5 (jackson-bom version 2.8.11.20200210), and 2.7.9.7. The issue does not affect version 2.10.0 and later. Organizations should upgrade to the fixed versions as soon as possible (GitHub Issue).