CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Date published : 2018-05-24
http://www.securityfocus.com/bid/104252
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html