File tree 2 files changed +10
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl
2 files changed +10
-0
lines changed Original file line number Diff line number Diff line change @@ -7,8 +7,12 @@ Project: jackson-databind
77
88#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
99 - CVE-2018-14721)
10+ (reported by Guixiong Wu)
1011#2109: Canonical string for reference type is built incorrectly
1112 (reported by svarzee@github)
13+ #2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
14+ CVE-2018-19361, CVE-2018-19362)
15+ (reported by Guixiong Wu)
1216
13172.8.11.2 (08-Jun-2018)
1418
Original file line number Diff line number Diff line change @@ -76,6 +76,12 @@ public class SubTypeValidator
7676 s .add ("com.sun.deploy.security.ruleset.DRSHelper" );
7777 s .add ("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl" );
7878
79+ // [databind#2186]: yet more 3rd party gadgets
80+ s .add ("org.jboss.util.propertyeditor.DocumentEditor" );
81+ s .add ("org.apache.openjpa.ee.RegistryManagedRuntime" );
82+ s .add ("org.apache.openjpa.ee.JNDIManagedRuntime" );
83+ s .add ("org.apache.axis2.transport.jms.JMSOutTransportInfo" );
84+
7985 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
8086 }
8187
You can’t perform that action at this time.
0 commit comments