Describe the bug
There were some security fixes in jackson-databind put in version 2.9.9.1 through 2.9.9.3. Please upgrade to 2.9.9.3

Additional context
An excerpt from the jackson-databind changelog:

2.9.9.3 (06-Aug-2019)

#2395: NullPointerException from ResolvedRecursiveType (regression due to fix for #2331)
(reported by Michael S)

2.9.9.2 (27-Jul-2019)

#2331: JsonMappingException through nested getter with generic wildcard return type
#2387: Block yet another deserialization gadget (CVE-2019-14379)
#2389: Block yet another deserialization gadget (CVE-2019-14439)
(reported by xiexq)

2.9.9.1 (03-Jul-2019)

#2334: Block one more gadget type (CVE-2019-12384)
#2341: Block one more gadget type (CVE-2019-12814)
#2374: ObjectMapper. getRegisteredModuleIds() throws NPE if no modules registered
(reported by Edgar A)

Release 2.3.1 will include jackson-databind 2.9.9.3.