Vulnerabilities

CVE-2018-8013

by Fred · 24/05/2018

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Date published : 2018-05-24

http://www.securityfocus.com/bid/104252

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Similar

Tags: Cybersecurity Alert