Date: Wed, 23 May 2018 13:16:00 +0100 From: "Simon Steiner" <simonsteiner1984@...il.com> To: <general@...graphics.apache.org>, <batik-dev@...graphics.apache.org>, <batik-users@...graphics.apache.org>, <oss-security@...ts.openwall.com>, <bugtraq@...urityfocus.com>, <security-reports@...mle.com>, <security@...che.org> Subject: [CVE-2018-8013] Apache Batik information disclosure vulnerability CVE-2018-8013: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.9.1 Description: When deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. Mitigation: Users should upgrade to Batik 1.10+ Credit: This issue was independently reported by Man Yue Mo. References: http://xmlgraphics.apache.org/security.html The Apache XML Graphics team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.