Jackson-databind is actually not such an old version. The problem with Jackson databind is that for deserialization it has just a blacklist of objects not to deserialize and it is impossible to maintain that blacklist uptodate. For version 3.0 they change to a whitelist approach it seems which will resolve those errors. Until then all future versions of databind based on a blacklist approach are vulnerable. BTW this is for all applications using that library. Spring security has put on top of that additional items on the blacklist so even if nexusiq shows a security issue with databind but you have introduced additional means (eg you or another  have worked on the blacklist) to be less vulnerable - nexusiq can’t know. Btw this is also what they explain when you open the detail of the security assessment.

Then, it depends on how you deploy software such as solr in your enterprise environment and they risks related to that. Eg one could have introduced means as above. Most of the users usually don’t have direct access to Solr itself but through a custom application, so there is no “direct” attack possible.

Finally, the absence of findings in the report does not mean an application is secure.