Another two gadgets to exploit default typing issue in jackson-databi…

…nd (CVE-2018-5968) Merged from FasterXML/jackson-databind#1899
atlassian · Oct 22, 2019 · 8438b6f · 8438b6f
1 parent aefa025
commit 8438b6f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -24,6 +24,7 @@ One more patch release for 1.9.
 * [databind#2032]: Blacklist another serialization gadget (ibatis)
 * [databind#2052]: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
 * [databind#2058]: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+* [databind#1899]: Another two gadgets to exploit default typing issue in jackson-databind (reported by OneSourceCat@github)
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -63,6 +63,9 @@ public class SubTypeValidator
         // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+        // [databind#1899]: more 3rd party
+        s.add("org.hibernate.jmx.StatisticsService");
+        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }