[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2018-8013] Apache Batik information disclosure vulnerability

To: <general@xxxxxxxxxxxxxxxxxxxxxx>, <batik-dev@xxxxxxxxxxxxxxxxxxxxxx>, <batik-users@xxxxxxxxxxxxxxxxxxxxxx>, <oss-security@xxxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <security-reports@xxxxxxxxxx>, <security@xxxxxxxxxx>
Subject: [CVE-2018-8013] Apache Batik information disclosure vulnerability
From: "Simon Steiner" <simonsteiner1984@xxxxxxxxx>
Date: Wed, 23 May 2018 13:16:00 +0100

CVE-2018-8013:
        Apache Batik information disclosure vulnerability

Severity:
        Medium

Vendor:
        The Apache Software Foundation

Versions Affected:
        Batik 1.0 - 1.9.1
 
Description:
        When deserializing subclass of `AbstractDocument`, the class takes a
string from the inputStream as the class name which then use it to call the
no-arg constructor of the class.
        Fix was to check the class type before calling newInstance in
deserialization.

Mitigation:
        Users should upgrade to Batik 1.10+

Credit:
        This issue was independently reported by Man Yue Mo.

References:
        http://xmlgraphics.apache.org/security.html

The Apache XML Graphics team.

Prev by Date: [slackware-security] mozilla-thunderbird (SSA:2018-142-02)
Next by Date: [security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting
Previous by thread: [slackware-security] mozilla-thunderbird (SSA:2018-142-02)
Next by thread: [security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting
Index(es):
- Date
- Thread