File tree 2 files changed +8
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl
2 files changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -10,6 +10,9 @@ Project: jackson-databind
1010 (reported by OneSourceCat@github)
1111#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
1212 - CVE-2018-14721)
13+ #2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
14+ CVE-2018-19361, CVE-2018-19362)
15+ (reported by Guixiong Wu)
1316
14172.7.9.4 (08-Jun-2018)
1518
Original file line number Diff line number Diff line change @@ -73,6 +73,11 @@ public class SubTypeValidator
7373 s .add ("com.sun.deploy.security.ruleset.DRSHelper" );
7474 s .add ("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl" );
7575
76+ // [databind#2186]: yet more 3rd party gadgets
77+ s .add ("org.jboss.util.propertyeditor.DocumentEditor" );
78+ s .add ("org.apache.openjpa.ee.RegistryManagedRuntime" );
79+ s .add ("org.apache.openjpa.ee.JNDIManagedRuntime" );
80+ s .add ("org.apache.axis2.transport.jms.JMSOutTransportInfo" );
7681 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
7782 }
7883
You can’t perform that action at this time.
0 commit comments