From 5f7c69bba07a7155adde130d9dee2e54a54f1fa5 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Thu, 13 Jun 2019 20:24:03 -0700
Subject: [PATCH] Fix #2341

---
 release-notes/VERSION                                     | 1 +
 .../jackson/databind/jsontype/impl/SubTypeValidator.java  | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index 815bb188e1..f31547b680 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -9,6 +9,7 @@ Not yet released
 #2326: Block class for CVE-2019-12086
  (contributed by MaximilianTews@github)
 #2334: Block class for CVE-2019-12384
+#2341: Block class for CVE-2019-12814
 
 2.7.9.5 (23-Nov-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 102abb6e24..c4d7f38272 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -82,9 +82,13 @@ public class SubTypeValidator
         // [databind#2326] (2.7.9.6): one more 3rd party gadget
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
-        // [databind#2334] (2.9.9.1): logback-core
+        // [databind#2334]: logback-core
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
-        
+
+        // [databind#2341]: jdom/jdom2
+        s.add("org.jdom.transform.XSLTransformer");
+        s.add("org.jdom2.transform.XSLTransformer");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }