A flaw was found in Apache Batik versions 1.0 through 1.9.1. An information disclosure when deserializing a subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2018/q2/135
Created batik tracking bugs for this issue: Affects: fedora-all [bug 1581726]
External References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2018/q2/135