CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Date published : 2020-12-26

https://security.netapp.com/advisory/ntap-20210129-0007/

https://github.com/FasterXML/jackson-databind/issues/2999