From 68d52f1a1c38042bb78501dd47ea94f73afa8a92 Mon Sep 17 00:00:00 2001 From: Marek Tokarski Date: Fri, 8 May 2020 11:18:06 +0200 Subject: [PATCH] Block one more gadget type (openjpa, CVE-2020-11113) Merged from FasterXML/jackson-databind#2670 --- release-notes/VERSION | 1 + .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 81814db9a..3c46bfe74 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -59,6 +59,7 @@ One more patch release for 1.9. * [databind#2662]: Block one more gadget type (bus-proxy, CVE-2020-10968) * [databind#2664]: Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) * [databind#2666]: Block one more gadget type (apache/commons-proxy, CVE-2020-11112) +* [databind#2670]: Block one more gadget type (openjpa, CVE-2020-11113) 1.9.13 (14-Jul-2013) diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java index e07ac2569..df9f8da50 100644 --- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java @@ -71,10 +71,11 @@ public class SubTypeValidator s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); s.add("com.sun.deploy.security.ruleset.DRSHelper"); s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl"); - // [databind#2186]: yet more 3rd party gadgets + // [databind#2186], [databind#2670]: yet more 3rd party gadgets s.add("org.jboss.util.propertyeditor.DocumentEditor"); s.add("org.apache.openjpa.ee.RegistryManagedRuntime"); s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); + s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo"); // [databind#2326] (2.9.9): one more 3rd party gadget s.add("com.mysql.cj.jdbc.admin.MiniAdmin");