Serialized objects can be altered unless they are protected using mechanisms, such as sealing and signing. (See guideline VOID SEC16-J. Sign and seal sensitive objects before transit.) If an attacker can alter the serialized form of the object, it becomes possible to modify the system resource that the serialized handle refers to. For example, an attacker may modify a serialized file handle to refer to an arbitrary file on the system. In the absence of a security manager, any operations that use the file handle will be carried out using the attacker supplied file path and file name.
...