Skip to content

Commit 32ab266

Browse files
mtokarski-atlassianmtokarski-atlassian
committed
Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
Merged from FasterXML/jackson-databind#2659
1 parent 86bdda0 commit 32ab266

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

release-notes/VERSION

+1
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ One more patch release for 1.9.
5454
* [databind#2648]: Block one more gadget type (shiro-core)
5555
* [databind#2653]: Block one more gadget type (shiro-core, 2nd class)
5656
* [databind#2658]: Block one more gadget type (ignite-jta, CVE-2020-10650)
57+
* [databind#2659]: Block one more gadget type (aries.transaction.jms, CVE-2020-10672)
5758

5859
1.9.13 (14-Jul-2013)
5960

src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java

+3
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,9 @@ public class SubTypeValidator
127127
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
128128
s.add("org.quartz.utils.JNDIConnectionProvider");
129129

130+
// [databind#2659]: aries.transaction.jms
131+
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
132+
130133
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
131134
}
132135

0 commit comments

Comments
 (0)