CVE-2017-18349: Improper Input Validation

October 24, 2018 (updated September 26, 2023)

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

References

fortiguard.com/encyclopedia/ips/44059
github.com/advisories/GHSA-xjrr-xv9m-4pw5
github.com/alibaba/fastjson/wiki/security_update_20170315
github.com/pippo-java/pippo/commit/8443377d3c5b35acca190a66894b4f95e4051be2
github.com/pippo-java/pippo/issues/466
nvd.nist.gov/vuln/detail/CVE-2017-18349

Detect and mitigate CVE-2017-18349 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →