Fix FasterXML#2620

cowtowncoder · qxo · commit f0cf1a018c18 · 2020-03-10T20:24:03.000+08:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -11,9 +11,11 @@ Project: jackson-databind
 #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
 #2462: Block two more gadget types (commons-configuration/-2)
 #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
-#2498: Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)
-#2526: Block two more gadget types (ehcache/JNDI - CVEs to be allocated)
-  (repoerted by UltramanGaia)
+#2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531)
+#2526: Block two more gadget types (ehcache/JNDI, CVE-2019-20330)
+  (reported by UltramanGaia)
+#2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-xxxxx)
+  (reported by threedr3am)
 
 2.7.9.6 (26-Jul-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -123,6 +123,9 @@ public class SubTypeValidator
         s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
         s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
 
+        // [databind#2620]: xbean-reflect
+        s.add("org.apache.xbean.propertyeditor.JndiConverter");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,9 @@ public class SubTypeValidator`
`123`	`123`	`s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");`
`124`	`124`	`s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");`
`125`	`125`
	`126`	`+ // [databind#2620]: xbean-reflect`
	`127`	`+ s.add("org.apache.xbean.propertyeditor.JndiConverter");`
	`128`	`+`
`126`	`129`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`127`	`130`	`}`
`128`	`131`