https://bugzilla.redhat.com/show_bug.cgi?id=1725807
--- Doc Text *updated* by Jonathan Christison jochrist@redhat.com --- A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.