Skip to content

Commit

Permalink
Fix #2648
Browse files Browse the repository at this point in the history
  • Loading branch information
@cowtowncoder
cowtowncoder committed Mar 10, 2020
1 parent 6ba4845 commit 3240cab
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Project: jackson-databind
#2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
#2462: Block two more gadget types (commons-configuration/-2)
#2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
#2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531)
#2526: Block two more gadget types (ehcache/JNDI, CVE-2019-20330)
(reported by UltramanGaia)
Expand Down
3 changes: 3 additions & 0 deletions src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,9 @@ public class SubTypeValidator
// [databind#2642]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");

// [databind#2648]: shire-core
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down

0 comments on commit 3240cab

Please sign in to comment.