CVE-2018-8013

Summary

CVE	CVE-2018-8013
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-05-24 16:29:00 UTC
Updated	2024-01-07 11:15:00 UTC
Description	In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Risk And Classification

Problem Types: CWE-502

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Batik	All	All	All	All
Application	Apache	Batik	All	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Oracle	Business Intelligence	11.1.1.7.0	All	All	All
Application	Oracle	Business Intelligence	11.1.1.9.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.3.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.4.0	All	All	All
Application	Oracle	Business Intelligence	11.1.1.7.0	All	All	All
Application	Oracle	Business Intelligence	11.1.1.9.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.3.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.4.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Metasolv Solution	6.3.0	All	All	All
Application	Oracle	Communications Metasolv Solution	6.3.0	All	All	All
Application	Oracle	Communications Webrtc Session Controller	All	All	All	All
Application	Oracle	Communications Webrtc Session Controller	All	All	All	All
Application	Oracle	Data Integrator	12.2.1.3.0	All	All	All
Application	Oracle	Data Integrator	12.2.1.3.0	All	All	All
Application	Oracle	Enterprise Repository	11.1.1.7.0	All	All	All
Application	Oracle	Enterprise Repository	12.1.3.0.0	All	All	All
Application	Oracle	Enterprise Repository	11.1.1.7.0	All	All	All
Application	Oracle	Enterprise Repository	12.1.3.0.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Fusion Middleware Mapviewer	12.2.1.2	All	All	All
Application	Oracle	Fusion Middleware Mapviewer	12.2.1.3	All	All	All
Application	Oracle	Fusion Middleware Mapviewer	12.2.1.2	All	All	All
Application	Oracle	Fusion Middleware Mapviewer	12.2.1.3	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.2	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.3	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.2	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.3	All	All	All
Application	Oracle	Insurance Calculation Engine	10.1.1	All	All	All
Application	Oracle	Insurance Calculation Engine	10.2.1	All	All	All
Application	Oracle	Insurance Calculation Engine	10.1.1	All	All	All
Application	Oracle	Insurance Calculation Engine	10.2.1	All	All	All
Application	Oracle	Insurance Policy Administration J2ee	10.0	All	All	All
Application	Oracle	Insurance Policy Administration J2ee	10.2	All	All	All
Application	Oracle	Insurance Policy Administration J2ee	10.0	All	All	All
Application	Oracle	Insurance Policy Administration J2ee	10.2	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	9.2	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	9.2	All	All	All
Application	Oracle	Retail Back Office	13.3	All	All	All
Application	Oracle	Retail Back Office	13.4	All	All	All
Application	Oracle	Retail Back Office	14	All	All	All
Application	Oracle	Retail Back Office	14.1	All	All	All
Application	Oracle	Retail Back Office	13.3	All	All	All
Application	Oracle	Retail Back Office	13.4	All	All	All
Application	Oracle	Retail Back Office	14	All	All	All
Application	Oracle	Retail Back Office	14.1	All	All	All
Application	Oracle	Retail Central Office	14.1	All	All	All
Application	Oracle	Retail Central Office	14.1	All	All	All
Application	Oracle	Retail Integration Bus	17.0	All	All	All
Application	Oracle	Retail Integration Bus	17.0	All	All	All
Application	Oracle	Retail Order Broker	15.0	All	All	All
Application	Oracle	Retail Order Broker	16.0	All	All	All
Application	Oracle	Retail Order Broker	5.1	All	All	All
Application	Oracle	Retail Order Broker	5.2	All	All	All
Application	Oracle	Retail Order Broker	15.0	All	All	All
Application	Oracle	Retail Order Broker	16.0	All	All	All
Application	Oracle	Retail Order Broker	5.1	All	All	All
Application	Oracle	Retail Order Broker	5.2	All	All	All
Application	Oracle	Retail Point-of-service	13.4	All	All	All
Application	Oracle	Retail Point-of-service	14.0	All	All	All
Application	Oracle	Retail Point-of-service	14.1	All	All	All
Application	Oracle	Retail Point-of-service	13.4	All	All	All
Application	Oracle	Retail Point-of-service	14.0	All	All	All
Application	Oracle	Retail Point-of-service	14.1	All	All	All
Application	Oracle	Retail Returns Management	14.1	All	All	All
Application	Oracle	Retail Returns Management	14.1	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Apache Batik CVE-2018-8013 Information Disclosure Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
Oracle Critical Patch Update Advisory - July 2020	MISC	www.oracle.com
CPU July 2018	CONFIRM	www.oracle.com	Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
USN-3661-1: Batik vulnerability \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
GLSA-202401-11		security.gentoo.org
Apache Batik Deserialization Error Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Oracle Critical Patch Update - January 2019	CONFIRM	www.oracle.com	Patch, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update - July 2019	MISC	www.oracle.com
[CVE-2018-8013] Apache Batik information disclosure vulnerability	MLIST	mail-archives.apache.org	Mailing List, Third Party Advisory
The Apache(tm) XML Graphics Project - Community	CONFIRM	xmlgraphics.apache.org	Third Party Advisory
[SECURITY] [DLA 1385-1] batik security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
CPU Oct 2018	CONFIRM	www.oracle.com	Patch, Third Party Advisory
[CVE-2018-8013] Apache Batik information disclosure vulnerability		mail-archives.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - April 2019	MISC	www.oracle.com	Patch, Third Party Advisory
Debian -- Security Information -- DSA-4215-1 batik	DEBIAN	www.debian.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

20288 Oracle Database 19c Critical OJVM Patch Update - October 2020
20297 Oracle Database 18c Critical OJVM Patch Update - October 2020
20313 Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2020
710829 Gentoo Linux Apache Batik Multiple Vulnerabilities (GLSA 202401-11)