Do your applications use this vulnerable package?
24 May 2018
23 May 2018
Man Yue Mo
How to fix?
org.apache.xmlgraphics:batik-dom to version 1.10 or higher.
org.apache.xmlgraphics:batik-dom is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation.
Affected versions of this package are vulnerable to Information Exposure during deserialization. When deserializing a subclass of
AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the
no-arg constructor of the class.