In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB and Puppet Enterprise contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18, Puppet Enterprise 2018.1.16, and Puppet Enterprise 2019.8.1 contain an updated version of jackson-databind that has patched the vulnerabilities.
For more information about these vulnerabilities, refer to the following links:
Affected software versions: