From 6ba48457984943df0de92c54144f7dcae01b1221 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Tue, 3 Mar 2020 16:43:31 -0800 Subject: [PATCH] Fix #2642 --- release-notes/VERSION | 6 ++++-- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index ec12be41dd..e093e4065e 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -6,10 +6,12 @@ Project: jackson-databind 2.7.9.7 (not yet released) -#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated) +#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546) (reported by threedr3am & LFY) -#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated) +#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) (reported by threedr3am & V1ZkRA) +#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated) + (reported by threedr3am) #2410: Block one more gadget type (HikariCP, CVE-2019-14540) #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet) #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 68dd3d8e42..73d8bbf699 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -133,6 +133,9 @@ public class SubTypeValidator s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"); s.add("br.com.anteros.dbcp.AnterosDBCPConfig"); + // [databind#2642]: javax.swing (jdk) + s.add("javax.swing.JEditorPane"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }