File tree 2 files changed +9
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/deser
2 files changed +9
-0
lines changed Original file line number Diff line number Diff line change @@ -5,7 +5,10 @@ Project: jackson-databind
55------------------------------------------------------------------------
66
772.6.7.2 (not yet released)
8+
89#1737: Block more JDK types from polymorphic deserialization
10+ #2097: Block more classes from polymorphic deserialization (CVE-2018-14718
11+ - CVE-2018-14721)
912
10132.6.7.1 (11-Jul-2017)
1114
Original file line number Diff line number Diff line change @@ -68,6 +68,12 @@ public class BeanDeserializerFactory
6868 s .add ("com.mchange.v2.c3p0.JndiRefForwardingDataSource" );
6969 s .add ("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource" );
7070
71+ // [databind#2097]: some 3rd party, one JDK-bundled
72+ s .add ("org.slf4j.ext.EventData" );
73+ s .add ("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor" );
74+ s .add ("com.sun.deploy.security.ruleset.DRSHelper" );
75+ s .add ("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl" );
76+
7177 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
7278 }
7379
You can’t perform that action at this time.
0 commit comments