From b91f67aa5af70e694e3f9a7625fb62a24bdeb0ac Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Tue, 2 Apr 2019 13:56:53 +0200
Subject: [PATCH 05/14] CVE-2018-11307

---
 .../jackson/databind/jsontype/impl/SubTypeValidator.java        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 09692d5d7..c8457b29e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -50,6 +50,8 @@ public class SubTypeValidator
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+        // CVE-2018-11307
+        s.add("org.apache.ibatis.parsing.XPathParser");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
-- 
2.20.1