CVE-2017-18349
CRITICAL9.8EPSS 88.7%Improper Input Validation in alilibaba:fastjson
Published: 10/24/2018Modified: 2/16/2024
Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Affected packages (2)
- Maven/com.alibaba:fastjsonfrom 0, < 1.2.31
- Maven/ro.pippo:pippo-fastjsonfrom 0, < 1.12.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-xjrr-xv9m-4pw5
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18349
- PATCHhttps://github.com/alibaba/fastjson
- WEBhttps://fortiguard.com/encyclopedia/ips/44059
- WEBhttps://github.com/alibaba/fastjson/wiki/security_update_20170315
- WEBhttps://github.com/pippo-java/pippo/commit/8443377d3c5b35acca190a66894b4f95e4051be2
- WEBhttps://github.com/pippo-java/pippo/issues/466