Bill Stephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly.
Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own