From f6d9c664f6d481703138319f6a0f1fdbddb3a259 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Sat, 13 Jun 2020 20:30:10 -0700
Subject: [PATCH] Fixed #2765

---
 release-notes/VERSION-2.x                                      | 2 ++
 .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 0bc7e01ef3..7e1d550c72 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Fangrun Li)
 #2704: Block one more gadget type (weblogic/oracle-aqjms)
  (reported by XuYuanzhen)
+#2765: Block one more gadget type (org.jsecurity))
+ (reported by Al1ex@knownsec)
 
 2.9.10.4 (11-Apr-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 80cc378794..7c3d4bcc3b 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -194,6 +194,9 @@ public class SubTypeValidator
         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
         s.add("oracle.jms.AQjmsXAConnectionFactory");
 
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }