Skip to content

Commit f6bb411

Browse files
mtokarski-atlassianmtokarski-atlassian
committed
Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
Merged from FasterXML/jackson-databind#2666
1 parent 71128a4 commit f6bb411

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

release-notes/VERSION

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ One more patch release for 1.9.
5858
* [databind#2660]: Block one more gadget type (caucho-quercus, CVE-2020-10673)
5959
* [databind#2662]: Block one more gadget type (bus-proxy, CVE-2020-10968)
6060
* [databind#2664]: Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)
61+
* [databind#2666]: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
6162

6263
1.9.13 (14-Jul-2013)
6364

src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,9 @@ public class SubTypeValidator
150150
s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
151151
s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
152152

153+
// [databind#2666]: apache/commons-jms
154+
s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
155+
153156
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
154157
}
155158

0 commit comments

Comments
 (0)