File tree Expand file tree Collapse file tree 2 files changed +9
-4
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl Expand file tree Collapse file tree 2 files changed +9
-4
lines changed Original file line number Diff line number Diff line change @@ -8,7 +8,11 @@ Project: jackson-databind
88#1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
99 generic canonical strings
1010 (reported by ayushgp@github)
11- #2032: Blacklist another serialization gadget (ibatis)
11+ #2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
12+ (reported by Guixiong Wu)
13+ #2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
14+ (reported by Guixiong Wu)
15+ #2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
1216 (reported by Guixiong Wu)
1317
14182.8.11.1 (11-Feb-2018)
Original file line number Diff line number Diff line change @@ -60,10 +60,11 @@ public class SubTypeValidator
6060 // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
6161 s .add ("org.apache.ibatis.parsing.XPathParser" );
6262
63- // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
64- // and access attempt is made:
65- s .add ("oracle.jdbc.connector.OracleManagedConnectionFactory" );
63+ // [databind#2052]: Jodd-db, with jndi/ldap lookup
6664 s .add ("jodd.db.connection.DataSourceConnectionProvider" );
65+
66+ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
67+ s .add ("oracle.jdbc.connector.OracleManagedConnectionFactory" );
6768 s .add ("oracle.jdbc.rowset.OracleJDBCRowSet" );
6869
6970 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
You can’t perform that action at this time.
0 commit comments