From 77040d85e3eb6710508e6445640ae1a3d5e60c22 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Tue, 7 Apr 2020 09:34:38 -0700
Subject: [PATCH] Fix #2682

---
 release-notes/VERSION-2.x                                      | 1 +
 .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 9078ef5f93..1675164eee 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -29,6 +29,7 @@ Project: jackson-databind
 #2670: Block one more gadget type (openjpa, CVE-2020-11113)
  (reported by XuYuanzhen)
 #2680: Block one more gadget type (spring-aop)
+#2680: Block one more gadget type (commons-jelly)
 
 2.9.10.3 (23-Feb-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 80f5b61bde..b123bee8bc 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -177,6 +177,9 @@ public class SubTypeValidator
         // [databind#2666]: apache/commons-jms
         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
 
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }