From 5391a03f9e6458ff61edd46ee8c581736f0696c2 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Tue, 2 Apr 2019 13:57:49 +0200
Subject: [PATCH 07/14] CVE-2018-12023
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index e325f2736..3a480272e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -54,6 +54,9 @@ public class SubTypeValidator
s.add("org.apache.ibatis.parsing.XPathParser");
// CVE-2018-12022
s.add("jodd.db.connection.DataSourceConnectionProvider");
+ // CVE-2018-12023
+ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+ s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
--
2.20.1