Skip to content

Commit 82d5d10

Browse files
committed
Fix #2653
1 parent 9ea232b commit 82d5d10

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

release-notes/VERSION-2.x

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ Project: jackson-databind
1212
(reported by threedr3am & V1ZkRA)
1313
#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated)
1414
(reported by threedr3am)
15-
#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
15+
#2648: Block one more gadget type (shiro-core)
16+
#2653: Block one more gadget type (shiro-core)
1617

1718
2.9.10.3 (23-Feb-2020)
1819

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,8 +138,9 @@ public class SubTypeValidator
138138
// [databind#2642]: javax.swing (jdk)
139139
s.add("javax.swing.JEditorPane");
140140

141-
// [databind#2648]: shire-core
141+
// [databind#2648], [databind#2653]: shire-core
142142
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
143+
s.add("org.apache.shiro.jndi.JndiObjectFactory");
143144

144145
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
145146
}

0 commit comments

Comments
 (0)