jackson-databind.jar v2.8.10 has some reported vulnerabilities. The latest minor release has a fix
Upgrade to v2.8.11.1 of jackson-databind