Block one more gadget type (mysql, CVE-2019-12086)

Merged from FasterXML/jackson-databind#2326
atlassian · Oct 22, 2019 · 39cb109 · 39cb109
1 parent 8d9a765
commit 39cb109
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -31,6 +31,7 @@ One more patch release for 1.9.
 * [databind#2186]: Block more classes from polymorphic deserialization (CVE-2018-19360,
     CVE-2018-19361, CVE-2018-19362)
  (reported by Guixiong Wu)
+* [databind#2326]: Block one more gadget type (CVE-2019-12086)
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -76,6 +76,8 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+        // [databind#2326] (2.9.9): one more 3rd party gadget
+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }