Deserialization of untrusted data in Apache Batik

#VU13059 Deserialization of untrusted data in Apache Batik

Published: 2018-05-30 | Updated: 2018-05-30

Vulnerability identifier: #VU13059

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8013

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Batik
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient validation of user-supplied data. A remote attacker can supply specially crafted data, trigger a deserialization error in a subclass of 'AbstractDocuent' and access potentially sensitive information.

Mitigation
Update to version 1.10.

Vulnerable software versions

Apache Batik: 1.6 - 1.9.1

External links
http://xmlgraphics.apache.org/security.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Application Performance Management

Gentoo update for Apache Batik

Multiple vulnerabilities in IBM Business Automation Workflow and IBM Case Manager

Multiple vulnerabilities in IBM Tivoli Network Manager (ITNM)

Multiple vulnerabilities in IBM Intelligent Operations Center (IOC)

Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody

Multiple vulnerabilities in Oracle Insurance Applications

Multiple vulnerabilities in Oracle Insurance Calculation Engine

Debian update for batik

Information disclosure in Apache Batik