From 9a9732622344b8f8bfce2b7551cfa9f399043d12 Mon Sep 17 00:00:00 2001
From: Marek Tokarski <mtokarski@atlassian.com>
Date: Fri, 8 May 2020 11:24:04 +0200
Subject: [PATCH] Block one more gadget type (commons-jelly, CVE-2020-11620)

Merged from FasterXML/jackson-databind#2682
---
 release-notes/VERSION                                          | 1 +
 .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index e05c04178..62a1445f5 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -61,6 +61,7 @@ One more patch release for 1.9.
 * [databind#2666]: Block one more gadget type (apache/commons-proxy, CVE-2020-11112)
 * [databind#2670]: Block one more gadget type (openjpa, CVE-2020-11113)
 * [databind#2680]: Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619)
+* [databind#2682]: Block one more gadget type (commons-jelly, CVE-2020-11620)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index c950ee63f..db6b3fa3d 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -158,6 +158,9 @@ public class SubTypeValidator
         // [databind#2666]: apache/commons-jms
         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
 
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }