FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Apache
Deserialization
Jackson Databind
Cloud Backup
Service Level Manager
+42
NVD
GitHub
VulDB
CVSS 3.1
8.1
EPSS
2.2%