QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-8013

Back to search

CVE-2018-8013

Published: May 24, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

VendorProductVersions

Apache Software Foundation

Apache Batik

affected
1.0 - 1.9.1

References

104252
vdb-entry
DSA-4215
vendor-advisory
USN-3661-1
vendor-advisory
1040995
vdb-entry
GLSA-202401-11
vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now