CVE-2020-9548: 
Java vulnerability analysis and mitigation

CVE-2020-9548 affects FasterXML jackson-databind versions 2.x before 2.9.10.4. The vulnerability involves mishandling of the interaction between serialization gadgets and typing, specifically related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). The vulnerability was disclosed in March 2020 (NVD).

The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates a critical severity issue that can be exploited over the network with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity and availability (NVD).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary code or cause other unspecified impacts when deserialization of untrusted data occurs (Ubuntu).

The vulnerability is fixed in jackson-databind version 2.9.10.4. Organizations should upgrade to this version or later. For versions 2.10.0 and later, the issue is mitigated by default as Safe Default Typing is enabled (GitHub Issue).

Multiple vendors have released security advisories and patches for this vulnerability, including Oracle, NetApp, and Debian. Oracle included fixes in multiple Critical Patch Updates throughout 2020 and 2021 (NetApp Advisory, Oracle CPU).