Fixed #2765

FasterXML · Jun 14, 2020 · f6d9c66 · f6d9c66
1 parent 840eae2
commit f6d9c66
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Fangrun Li)
 #2704: Block one more gadget type (weblogic/oracle-aqjms)
  (reported by XuYuanzhen)
+#2765: Block one more gadget type (org.jsecurity))
+ (reported by Al1ex@knownsec)
 
 2.9.10.4 (11-Apr-2020)
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -194,6 +194,9 @@ public class SubTypeValidator
         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
         s.add("oracle.jms.AQjmsXAConnectionFactory");
 
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }