Fix #2648

cowtowncoder · cowtowncoder · commit 3240cab8abee · 2020-03-10T10:25:11.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -17,6 +17,7 @@ Project: jackson-databind
 #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
 #2462: Block two more gadget types (commons-configuration/-2)
 #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
+#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
 #2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531)
 #2526: Block two more gadget types (ehcache/JNDI, CVE-2019-20330)
   (reported by UltramanGaia)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -136,6 +136,9 @@ public class SubTypeValidator
         // [databind#2642]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
 
+        // [databind#2648]: shire-core
+        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,9 @@ public class SubTypeValidator`
`136`	`136`	`// [databind#2642]: javax.swing (jdk)`
`137`	`137`	`s.add("javax.swing.JEditorPane");`
`138`	`138`
	`139`	`+ // [databind#2648]: shire-core`
	`140`	`+ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");`
	`141`	`+`
`139`	`142`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`140`	`143`	`}`
`141`	`144`