Fix #2648
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 5ffdcf3..ad9e723 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -10,8 +10,9 @@
(reported by threedr3am & LFY)
#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
(reported by threedr3am & V1ZkRA)
-#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated) #2642
- (reported by threedr3am)
+#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated)
+ (reported by threedr3am)
+#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
2.9.10.3 (23-Feb-2020)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 3b0de95..9c0ff58 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -138,6 +138,9 @@
// [databind#2642]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");
+ // [databind#2648]: shire-core
+ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}