Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker lacks permissions to construct. One example is the construction of a sensitive object , such as a custom class loader. Consequently, avoid deserializing from a privileged context. When deserializing requires privileges, programs must strip all permissions other than the minimum set required for the intended usage. See the rule SEC02-J. Remove superfluous code from privileged blocks for additional information.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="101f78d8442057f2-29625f42-43b7489d-82439384-7bfcfda9bbeb719f5bd19f93"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4962db5a376e5404-48b55bc7-4cfe4ccd-9f6888e4-3b5757bd852199c85966c567"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]] | [CVE-2008-5353 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] | ]]></ac:plain-text-body></ac:structured-macro> |
...