Description
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Remediation
References
Related Vulnerabilities
WordPress Plugin External Media without Import Cross-Site Scripting (1.0.1)
WordPress Plugin WP Easy Gallery 'select_gallery' Parameter Cross-Site Scripting (1.7)
WordPress Plugin Drag and Drop Multiple File Upload-Contact Form 7 Arbitrary File Upload (1.3.3.2)
WordPress Plugin Aesop Story Engine Cross-Site Scripting (1.6)
TYPO3 Deserialization of Untrusted Data Vulnerability (CVE-2019-19849)