Block two more gadget types (commons-configuration/-2)

mtokarski-atlassian · mtokarski-atlassian · commit 98c42f7a2750 · 2020-05-08T11:49:19.000+02:00
Merged from FasterXML/jackson-databind#2462
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -64,6 +64,7 @@ One more patch release for 1.9.
 * [databind#2682]: Block one more gadget type (commons-jelly, CVE-2020-11620)
 * [databind#2688]: Block one more gadget type (apache-drill)
 * [databind#2698]: Block one more gadget type (weblogic/oracle-aqjms)
+* [databind#2462]: Block two more gadget types (commons-configuration/-2)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -99,6 +99,11 @@ public class SubTypeValidator
         s.add("com.zaxxer.hikari.HikariDataSource");
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
+        // [databind#2462]: commons-configuration / -2
+        s.add("org.apache.commons.configuration.JNDIConfiguration");
+        s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
         s.add("com.p6spy.engine.spy.P6DataSource");
