CVE-2018-18628: Deserialization of Untrusted Data

October 24, 2018 (updated September 2, 2021)

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.

References

github.com/advisories/GHSA-7fm6-2qw4-g3x3
github.com/pippo-java/pippo/issues/458
nvd.nist.gov/vuln/detail/CVE-2018-18628

Detect and mitigate CVE-2018-18628 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →