Block one more gadget type (cxf-jax-rs, no CVE allocated yet)

Merged from FasterXML/jackson-databind#2420
atlassian · Oct 22, 2019 · 3b62b24 · 3b62b24
1 parent f48b85e
commit 3b62b24
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -39,6 +39,8 @@ One more patch release for 1.9.
  (reported by xiexq)
 * [databind#2410]: Block one more gadget type (CVE-2019-14540)
     (reported by iSafeBlue@github / [email protected])
+* [databind#2420]: Block one more gadget type (no CVE allocated yet)
+    (reported by [email protected])
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -89,6 +89,8 @@ public class SubTypeValidator
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
         // [databind#2410]: HikariCP/metricRegistry config
         s.add("com.zaxxer.hikari.HikariConfig");
+        // [databind#2420]: CXF/JAX-RS provider/XSLT
+        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }