Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker lacks permissions to construct. One example is the construction of a sensitive object , such as a custom class loader. Consequently, avoid deserializing from a privileged context. When deserializing requires privileges, programs must strip all permissions other than the minimum set required for the intended usage. See the rule SEC02-J. Remove superfluous code from privileged blocks for additional information.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="257a9486fac94c8b-360c7f95-43654e05-b1b0a876-5ccd209f8a0382daf970f743"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6c0c684c77038977-5222be5f-42cd4009-9b099d9b-c1bd3f961bc00ecdec06a250"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]] | [CVE-2008-5353 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] | ]]></ac:plain-text-body></ac:structured-macro> |
...