From d4689ae4bae7e451b9a6e8720aa0e4f58ca2e2bc Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 2 Apr 2019 13:57:10 +0200 Subject: [PATCH 06/14] CVE-2018-12022 --- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index c8457b29e..e325f2736 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -52,6 +52,8 @@ public class SubTypeValidator s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); // CVE-2018-11307 s.add("org.apache.ibatis.parsing.XPathParser"); + // CVE-2018-12022 + s.add("jodd.db.connection.DataSourceConnectionProvider"); DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); } -- 2.20.1