Skip to content

Commit

Permalink
MNSTR-5023 backport security fix from jackson2 - Block one more gadge…
Browse files Browse the repository at this point in the history 
…t type (org.jsecurity, 2020-14195)

Merged from FasterXML/jackson-databind#2765
  • Loading branch information
@tkanafa-atlassian
tkanafa-atlassian committed Apr 20, 2021
1 parent 4fca498 commit 55468b4
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ One more patch release for 1.9.
* [databind#2462]: Block two more gadget types (commons-configuration/-2, CVE-2019-14892)
* [databind#2469]: Block one more gadget type (xalan2, might be related to CVE-2019-14893)
* [databind#2704]: Block one more gadget type (xalan2, CVE-2020-14062)
* [databind#2765]: Block one more gadget type (org.jsecurity, 2020-14195)

1.9.13 (14-Jul-2013)

Expand Down
3 changes: 3 additions & 0 deletions src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,9 @@ public class SubTypeValidator
s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
s.add("oracle.jms.AQjmsXAConnectionFactory");

// [databind#2764]: org.jsecurity:
s.add("org.jsecurity.realm.jndi.JndiRealmFactory");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down

0 comments on commit 55468b4

Please sign in to comment.