Lucene search

[email protected]NVD:CVE-2018-8013

HistoryMay 24, 2018 - 4:29 p.m.

CVE-2018-8013

2018-05-2416:29:00

CWE-502

[email protected]

web.nvd.nist.gov

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.7%

JSON

In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Affected configurations

NVD

Node

apachebatikRange1.0–1.10

Node

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

canonicalubuntu_linuxMatch14.04lts

Node

oraclebusiness_intelligenceMatch11.1.1.7.0enterprise

oraclebusiness_intelligenceMatch11.1.1.9.0enterprise

oraclebusiness_intelligenceMatch12.2.1.3.0enterprise

oraclebusiness_intelligenceMatch12.2.1.4.0enterprise

oraclecommunications_diameter_signaling_routerRange<8.3

oraclecommunications_metasolv_solutionMatch6.3.0

oraclecommunications_webrtc_session_controllerRange<7.2

oracledata_integratorMatch12.2.1.3.0

oracleenterprise_repositoryMatch11.1.1.7.0

oracleenterprise_repositoryMatch12.1.3.0.0

oraclefinancial_services_analytical_applications_infrastructureRange7.3.3.0.0–7.3.3.0.2

oraclefinancial_services_analytical_applications_infrastructureRange8.0.0.0.0–8.0.7.1.0

oraclefusion_middleware_mapviewerMatch12.2.1.2

oraclefusion_middleware_mapviewerMatch12.2.1.3

oracleinstantis_enterprisetrackMatch17.1

oracleinstantis_enterprisetrackMatch17.2

oracleinstantis_enterprisetrackMatch17.3

oracleinsurance_calculation_engineMatch10.1.1

oracleinsurance_calculation_engineMatch10.2.1

oracleinsurance_policy_administration_j2eeMatch10.0

oracleinsurance_policy_administration_j2eeMatch10.2

oraclejd_edwards_enterpriseone_toolsMatch9.2

oracleretail_back_officeMatch13.3

oracleretail_back_officeMatch13.4

oracleretail_back_officeMatch14

oracleretail_back_officeMatch14.1

oracleretail_central_officeMatch14.1

oracleretail_integration_busMatch17.0

oracleretail_order_brokerMatch5.1

oracleretail_order_brokerMatch5.2

oracleretail_order_brokerMatch15.0

oracleretail_order_brokerMatch16.0

oracleretail_point-of-serviceMatch13.4

oracleretail_point-of-serviceMatch14.0

oracleretail_point-of-serviceMatch14.1

oracleretail_returns_managementMatch14.1

References

www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

www.securityfocus.com/bid/104252

www.securitytracker.com/id/1040995

lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44%40%3Ccommits.xmlgraphics.apache.org%3E

lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19%40%3Ccommits.xmlgraphics.apache.org%3E

lists.debian.org/debian-lts-announce/2018/05/msg00016.html

mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f%24d01860a0%24704921e0%24%40gmail.com%3e

security.gentoo.org/glsa/202401-11

usn.ubuntu.com/3661-1/

www.debian.org/security/2018/dsa-4215

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

xmlgraphics.apache.org/security.html

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.7%

JSON

Related for NVD:CVE-2018-8013

openvas5 veracode1 ibm11 nessus12 redhatcve1 osv4 cvelist1 debian3 ubuntu1 fedora2 ubuntucve1 debiancve1 prion1 github1 cve1 gentoo1 oracle7