From 113e89fb08b1b6b072d60b3e4737ed407c13db9a Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Mon, 6 Apr 2020 19:27:26 -0700
Subject: [PATCH] Fix #2680

---
 release-notes/VERSION-2.x                                      | 1 +
 .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index c455b367f7..9078ef5f93 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -28,6 +28,7 @@ Project: jackson-databind
  (reported by Yiting Fan)
 #2670: Block one more gadget type (openjpa, CVE-2020-11113)
  (reported by XuYuanzhen)
+#2680: Block one more gadget type (spring-aop)
 
 2.9.10.3 (23-Feb-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index e3962ca725..80f5b61bde 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -49,6 +49,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
 
 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -