Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker lacks permissions to construct. One example is the construction of a sensitive object such as a custom class loader. Consequently, avoid deserializing from a privileged context. When deserializing requires privileges, programs must strip all permissions other than the minimum set required for the intended usage. See the rule SEC02-J. Remove superfluous code from privileged blocks for additional information.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="df0e6a262c4bb0b3-f0fa4f69-420e4a7a-a84b824c-8dea4ea78e59ec36e7f304d8"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="580c69ca1fcedabf-31cd938c-4c624363-9e429f85-d9f5b96d70f1ea06af70b6da"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]] | [CVE-2008-5353 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] | ]]></ac:plain-text-body></ac:structured-macro> |
...