Vulnerable to deserialization of untrusted data with logback-core or jdom on the classpath. Upgrade to 2.9.9.1 or higher.