CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
References
Link Resource
https://fortiguard.com/encyclopedia/ips/44059 Mitigation Third Party Advisory
https://github.com/alibaba/fastjson/wiki/security_update_20170315 Mitigation Third Party Advisory
https://github.com/pippo-java/pippo/issues/466 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
cpe:2.3:a:pippo:pippo:1.11.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-10-23 20:29

Updated : 2024-02-04 20:03


NVD link : CVE-2017-18349

Mitre link : CVE-2017-18349

CVE.ORG link : CVE-2017-18349


JSON object : View

Products Affected

pippo

  • pippo

alibaba

  • fastjson
CWE
CWE-20

Improper Input Validation