From b9fc2f5b32ad1f1c98ce09065a731f1f38c60808 Mon Sep 17 00:00:00 2001 From: Tomasz Kanafa Date: Tue, 20 Apr 2021 10:38:13 +0200 Subject: [PATCH] MNSTR-5023 backport security fix from jackson2 Merged from FasterXML/jackson-databind#2826 FasterXML/jackson-databind#2827 --- release-notes/VERSION | 2 ++ .../jackson/map/jsontype/impl/SubTypeValidator.java | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 40c4e3d05..819d8d802 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -70,6 +70,8 @@ One more patch release for 1.9. * [databind#2765]: Block one more gadget type (org.jsecurity, CVE-2020-14195) * [databind#2798]: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750) * [databind#2814]: Block one more gadget type (Anteros-DBCP, CVE-2020-24616) +* [databind#2826]: Block one more gadget type Block one more gadget type (com.nqadmin.rowset, CVE-xxxx-xxx) +* [databind#2827]: Block one more gadget type Block one more gadget type (org.arrahtec:profiler-core, CVE-xxxx-xxx) 1.9.13 (14-Jul-2013) diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java index 06aa1451a..5491fd745 100644 --- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java @@ -191,7 +191,11 @@ public class SubTypeValidator // [databind#2798]: com.pastdev.httpcomponents: s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); - + + // [databind#2826], [databind#2827] + s.add("com.nqadmin.rowset.JdbcRowSetImpl"); + s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }