CVE-2018-18240: Deserialization of Untrusted Data

May 13, 2022 (updated October 6, 2023)

Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream’s available protection mechanisms to restrict unmarshalling.

References

github.com/advisories/GHSA-h892-x453-86wc
github.com/pippo-java/pippo/commit/c6b26551a82d2dd32097fcb17c13c3b830916296
github.com/pippo-java/pippo/issues/454
nvd.nist.gov/vuln/detail/CVE-2018-18240

Detect and mitigate CVE-2018-18240 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →