A security scan has shown that the 4.9.0 driver has a vulnerable version of Jackson Databind in its dependencies(version 188.8.131.52). This is likely due to the Java driver depending on version 3.4.8 of Tinkerpop, which was recently (August 2020) released and updated its dependency to 184.108.40.206 of Databind. This ticket is mostly a repeat of JAVA-2859, where we likely have to get Tinkerpop to upgdate Databind and release, then update the driver to use the new Tinkerpop version.
Jackson Databind in the driver is already 2.11.0. This is issue is really only around upgrading TinkerPop.
Jackson has been upgraded to 2.12.0 and Tinkerpop to 3.4.9. To be released in 4.10.