Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619)

Merged from FasterXML/jackson-databind#2680
atlassian · May 8, 2020 · 8614ee3 · 8614ee3
1 parent 68d52f1
commit 8614ee3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -60,6 +60,7 @@ One more patch release for 1.9.
 * [databind#2664]: Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)
 * [databind#2666]: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
 * [databind#2670]: Block one more gadget type (openjpa, CVE-2020-11113)
+* [databind#2680]: Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619)
 
 1.9.13 (14-Jul-2013)
 

diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -49,6 +49,10 @@ public class SubTypeValidator
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
+
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");