MNSTR-5023 backport security fix from jackson2

Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827
atlassian · Apr 20, 2021 · b9fc2f5 · b9fc2f5
1 parent 8d68933
commit b9fc2f5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -70,6 +70,8 @@ One more patch release for 1.9.
 * [databind#2765]: Block one more gadget type (org.jsecurity, CVE-2020-14195)
 * [databind#2798]: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750)
 * [databind#2814]: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
+* [databind#2826]: Block one more gadget type Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx)
+* [databind#2827]: Block one more gadget type Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx)
 
 
 1.9.13 (14-Jul-2013)

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -191,7 +191,11 @@ public class SubTypeValidator
 
         // [databind#2798]: com.pastdev.httpcomponents:
         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
-
+
+        // [databind#2826], [databind#2827]
+        s.add("com.nqadmin.rowset.JdbcRowSetImpl");
+        s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }