Incomplete List of Disallowed Inputs

Summary

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. In versions 2.10.0 prior to 2.18.8, 2.19.0 prior to 2.21.4 and 3.0.0 prior to 3.1.4, `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an explicit concrete-type allowlist therefore still permits `EvilType[]` even though `EvilType` is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.