A security scan has shown that the 4.9.0 driver has a vulnerable version of Jackson Databind in its dependencies(version 2.9.10.5). This is likely due to the Java driver depending on version 3.4.8 of Tinkerpop, which was recently (August 2020) released and updated its dependency to 2.9.10.5 of Databind. This ticket is mostly a repeat of JAVA-2859, where we likely have to get Tinkerpop to upgdate Databind and release, then update the driver to use the new Tinkerpop version.
CVE seems to be CVE-2020-24750.
Jackson Databind in the driver is already 2.11.0. This is issue is really only around upgrading TinkerPop.
TINKERPOP-2401 shows that the Jackson version was bumped in the 3.4.9 and 3.5.0 releases of tinkerpop.
Jackson has been upgraded to 2.12.0 and Tinkerpop to 3.4.9. To be released in 4.10.