apache batik CVE-2018-8013 vulnerability in Apache and Other Products
Published on May 24, 2018

product logo product logo product logo product logo
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Vendor Advisory Vendor Advisory Vendor Advisory NVD


Products Associated with CVE-2018-8013

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2018-8013 are published in these products:

Apache Batik
 
Oracle Business Intelligence
 
Oracle Communications Diameter Signaling Router
 
Oracle Communications Metasolv Solution
 
Oracle Communications Webrtc Session Controller
 
Oracle Data Integrator
 
Oracle Enterprise Repository
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Fusion Middleware Mapviewer
 
Oracle Instantis Enterprisetrack
 
Oracle Insurance Calculation Engine
 
Oracle Insurance Policy Administration J2ee
 
Oracle Jd Edwards Enterpriseone Tools
 
Oracle Retail Back Office
 
Oracle Retail Central Office
 
Oracle Retail Integration Bus
 
Oracle Retail Order Broker
 
Oracle Retail Point Of Service
 
Oracle Retail Returns Management
 
Canonical Ubuntu Linux
 
Debian Linux
 

Affected Versions

Apache Software Foundation Apache Batik Version 1.0 - 1.9.1 is affected by CVE-2018-8013

Exploit Probability

EPSS
1.33%
Percentile
79.66%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.