jackson-databind:2.9.4 comes from Calcite avatica:1.12.0 shaded jar: https://mvnrepository.com/artifact/org.apache.calcite.avatica/avatica/1.12.0
that jar has also reported vulnerability :CVE-2022-36364, we should try to upgrade it. Another one is htrace-core:3.1.0-incubating from accumulo-core:1.10.1 https://mvnrepository.com/artifact/org.apache.htrace/htrace-core/3.1.0-incubating Same story: CVE-2022-36364