Security Advisory

CVE-2018-8013

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2018-05-24 16:00:00

Last updated 2024-09-16 23:16:36

Assigner apache

State PUBLISHED

Description

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

← Browse all CVEs View on cve.org ↗