Block one more gadget type (apache/commons-proxy, CVE-2020-11112)

Merged from FasterXML/jackson-databind#2666
atlassian · May 8, 2020 · f6bb411 · f6bb411
1 parent 71128a4
commit f6bb411
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -58,6 +58,7 @@ One more patch release for 1.9.
 * [databind#2660]: Block one more gadget type (caucho-quercus, CVE-2020-10673)
 * [databind#2662]: Block one more gadget type (bus-proxy, CVE-2020-10968)
 * [databind#2664]: Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)
+* [databind#2666]: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -150,6 +150,9 @@ public class SubTypeValidator
         s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
         s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
 
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }