diff --git a/CVE-2021-20190.patch b/CVE-2021-20190.patch
new file mode 100644
index 0000000..efc11ff
--- /dev/null
+++ b/CVE-2021-20190.patch
@@ -0,0 +1,23 @@
+From 7dbf51bf78d157098074a20bd9da39bd48c18e4a Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 17 Sep 2020 20:11:25 -0700
+Subject: [PATCH] Fix #2854
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 3 ++-
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index dc706429cf..a8b5cb1ba3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -143,8 +143,9 @@
+         // [databind#2814]: anteros-dbcp
+         s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+ 
+-        // [databind#2642]: javax.swing (jdk)
++        // [databind#2642][databind#2854]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
++        s.add("javax.swing.JTextPane");
+ 
+         // [databind#2648], [databind#2653]: shire-core
+         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
diff --git a/jackson-databind.spec b/jackson-databind.spec
index 664ca6d..0b26fa7 100644
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@@ -1,6 +1,6 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             7
+Release:             8
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
@@ -46,6 +46,7 @@ Patch0037:           CVE-2020-36187-CVE-2020-36186.patch
 #The CVE-2020-36179-36180-36181-36182.patch is used to fix CVE-2020-36179 and CVE-2020-36180 and CVE-2020-36181 and CVE-2020-36182
 Patch0038:           CVE-2020-36179-36180-36181-36182.patch
 Patch0039:           CVE-2020-36183.patch
+Patch0040:           CVE-2021-20190.patch
 
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@@ -98,6 +99,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE
 
 %changelog
+* Wed Jan 27 2021 wangyue <wangyue92@huawei.com> - 2.9.8-8
+- fix CVE-2021-20190
+
 * Fri Jan 22 2021 wangyue <wangyue92@huawei.com> - 2.9.8-7
 - fix CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
   CVE-2020-36182 CVE-2020-36183 CVE-2020-36184