Skip to content

Commit 3b62b24

Browse files
ablekhmanablekhman
committed
Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
Merged from FasterXML/jackson-databind#2420
1 parent f48b85e commit 3b62b24

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

release-notes/VERSION

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@ One more patch release for 1.9.
3939
(reported by xiexq)
4040
* [databind#2410]: Block one more gadget type (CVE-2019-14540)
4141
(reported by iSafeBlue@github / [email protected])
42+
* [databind#2420]: Block one more gadget type (no CVE allocated yet)
43+
(reported by [email protected])
4244

4345
1.9.13 (14-Jul-2013)
4446

src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,8 @@ public class SubTypeValidator
8989
s.add("ch.qos.logback.core.db.JNDIConnectionSource");
9090
// [databind#2410]: HikariCP/metricRegistry config
9191
s.add("com.zaxxer.hikari.HikariConfig");
92+
// [databind#2420]: CXF/JAX-RS provider/XSLT
93+
s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
9294

9395
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
9496
}

0 commit comments

Comments
 (0)