Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-xjrr-xv9m-4pw5

Опубликовано: 24 окт. 2018
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

Improper Input Validation in alilibaba:fastjson

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Ссылки

Пакеты

Наименование

com.alibaba:fastjson

maven
Затронутые версииВерсия исправления

<= 1.2.24

1.2.31

Наименование

ro.pippo:pippo-fastjson

maven
Затронутые версииВерсия исправления

< 1.12.0

1.12.0

EPSS

Процентиль: 100%
0.90832
Критический

9.8 Critical

CVSS3

CVE ID

CVE-2017-18349

Дефекты

CWE-20

Связанные уязвимости

nvd логотип

CVE-2017-18349

CVSS3: 9.8
nvd
больше 7 лет назад

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

EPSS

Процентиль: 100%
0.90832
Критический

9.8 Critical

CVSS3

CVE ID

CVE-2017-18349

Дефекты

CWE-20