Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)

ablekhman · ablekhman · commit 0e4749554209 · 2019-10-23T11:01:53.000+11:00
Merged from FasterXML/jackson-databind#2449
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -38,9 +38,11 @@ One more patch release for 1.9.
 * [databind#2389]: Block yet another deserialization gadget (CVE-2019-14439)
  (reported by xiexq)
 * [databind#2410]: Block one more gadget type (CVE-2019-14540)
-    (reported by iSafeBlue@github / blue@ixsec.org)
+ (reported by iSafeBlue@github / blue@ixsec.org)
 * [databind#2420]: Block one more gadget type (no CVE allocated yet)
-    (reported by crazylirui@gmail.com)
+ (reported by crazylirui@gmail.com)
+* [databind#2449]: Block one more gadget type (cve CVE-2019-14540)
+ (reported by Kaki K)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -89,6 +89,8 @@ public class SubTypeValidator
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
         // [databind#2410]: HikariCP/metricRegistry config
         s.add("com.zaxxer.hikari.HikariConfig");
+        // [databind#2449]: and sub-class thereof
+        s.add("com.zaxxer.hikari.HikariDataSource");
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
 
