From f0cf1a018c18e3acae05ae4a1ea5f33d7f9a9856 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 9 Feb 2020 15:16:04 -0800 Subject: [PATCH] Fix #2620 --- release-notes/VERSION | 8 +++++--- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 293e521bcb..9c6a744775 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -11,9 +11,11 @@ Project: jackson-databind #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) #2462: Block two more gadget types (commons-configuration/-2) #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) -#2498: Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) -#2526: Block two more gadget types (ehcache/JNDI - CVEs to be allocated) - (repoerted by UltramanGaia) +#2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531) +#2526: Block two more gadget types (ehcache/JNDI, CVE-2019-20330) + (reported by UltramanGaia) +#2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-xxxxx) + (reported by threedr3am) 2.7.9.6 (26-Jul-2019) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 9b93e9ede2..7234cc127a 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -123,6 +123,9 @@ public class SubTypeValidator s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector"); s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector"); + // [databind#2620]: xbean-reflect + s.add("org.apache.xbean.propertyeditor.JndiConverter"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }