From: Markus Koschany Date: Sat, 5 Oct 2019 19:37:49 +0200 Subject: polymorphic typing issues This is the fix for CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. --- .../databind/jsontype/impl/SubTypeValidator.java | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 72db61d..d638af9 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -90,6 +90,31 @@ public class SubTypeValidator s.add("org.jdom.transform.XSLTransformer"); s.add("org.jdom2.transform.XSLTransformer"); + // [databind#2387]: EHCache + s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup"); + + // [databind#2389]: logback/jndi + s.add("ch.qos.logback.core.db.JNDIConnectionSource"); + + // [databind#2410]: HikariCP/metricRegistry config + s.add("com.zaxxer.hikari.HikariConfig"); + // [databind#2449]: and sub-class thereof + s.add("com.zaxxer.hikari.HikariDataSource"); + + // [databind#2420]: CXF/JAX-RS provider/XSLT + s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider"); + + // [databind#2462]: commons-configuration / -2 + s.add("org.apache.commons.configuration.JNDIConfiguration"); + s.add("org.apache.commons.configuration2.JNDIConfiguration"); + + // [databind#2469]: xalan2 + s.add("org.apache.xalan.lib.sql.JNDIConnectionPool"); + + // [databind#2478]: comons-dbcp, p6spy + s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource"); + s.add("com.p6spy.engine.spy.P6DataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }