From 914e7c9f2cb8ce66724bf26a72adc7e958992497 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 9 Feb 2020 15:16:04 -0800 Subject: [PATCH] Fix #2620 --- release-notes/VERSION | 6 ++++-- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 8d154e031a..f097fa9fbc 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -16,8 +16,10 @@ Unreleased but backported #2469: Block one more gadget type (xalan2) #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) #2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531) -#2526: Block two more gadget types (ehcache/JNDI - CVEs to be allocated) - (repoerted by UltramanGaia) +#2526: Block two more gadget types (ehcache/JNDI, CVE-2019-20330) + (reported by UltramanGaia) +#2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-xxxxx) + (reported by threedr3am) 2.8.11.4 (25-Jul-2019) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 1b616b26ae..06901bf970 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -127,6 +127,9 @@ public class SubTypeValidator s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector"); s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector"); + // [databind#2620]: xbean-reflect + s.add("org.apache.xbean.propertyeditor.JndiConverter"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }