The source project of this merge request has been removed.
Master
It seems a false positive to me according to this https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1742344745 and the whole discussion around that comment
I've noticed also that other advisories such as Github Advisory (and OS pkg based ones such as redhat adn debian advisories) does not list it https://access.redhat.com/security/cve/CVE-2023-35116
the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker