Skip to content

Commit

Permalink
MNSTR-5023 backport security fix from jackson2 - Block one more gadge…
Browse files Browse the repository at this point in the history 
…t type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)

Merged from FasterXML/jackson-databind#2999
  • Loading branch information
@tkanafa-atlassian
tkanafa-atlassian committed Apr 20, 2021
1 parent cf0b9f3 commit f2d0a7c
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 0 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ One more patch release for 1.9.
* [databind#2996]: Block 2 more gadget types (newrelic-agent, CVE-2020-36188/CVE-2020-36189)
* [databind#2997]: Block 2 more gadget types (tomcat/naming-factory-dbcp, CVE-2020-36186/CVE-2020-36187)
* [databind#2998]: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp, CVE-2020-36184/CVE-2020-36185)
* [databind#2999]: Block one more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)


1.9.13 (14-Jul-2013)
Expand Down
4 changes: 4 additions & 0 deletions src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,10 @@ public class SubTypeValidator
s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");

// [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
// (derivative of #2469)
s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down

0 comments on commit f2d0a7c

Please sign in to comment.