File tree Expand file tree Collapse file tree 2 files changed +10
-1
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl Expand file tree Collapse file tree 2 files changed +10
-1
lines changed Original file line number Diff line number Diff line change @@ -4,9 +4,11 @@ Project: jackson-databind
44=== Releases ===
55------------------------------------------------------------------------
66
7- 2.7.9.4 (not yet released )
7+ 2.7.9.4 (08-Jun-2018 )
88
99#2032: Blacklist another serialization gadget (ibatis)
10+ #2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
11+ #2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
1012
11132.7.9.3 (11-Feb-2018)
1214
Original file line number Diff line number Diff line change @@ -57,6 +57,13 @@ public class SubTypeValidator
5757 // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
5858 s .add ("org.apache.ibatis.parsing.XPathParser" );
5959
60+ // [databind#2052]: Jodd-db, with jndi/ldap lookup
61+ s .add ("jodd.db.connection.DataSourceConnectionProvider" );
62+
63+ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
64+ s .add ("oracle.jdbc.connector.OracleManagedConnectionFactory" );
65+ s .add ("oracle.jdbc.rowset.OracleJDBCRowSet" );
66+
6067 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
6168 }
6269
You can’t perform that action at this time.
0 commit comments