logo

Database

Lack of data validation In ro.pippo:pippo-fastjson

Description

Improper Input Validation in alilibaba:fastjson parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-183492. NVD-2017-183493. OSV-2017-183494. GHSA-xjrr-xv9m-4pw55. GCVE-2017-18349

References

1. https://github.com/pippo-java/pippo/issues/4662. https://github.com/pippo-java/pippo/commit/8443377d3c5b35acca190a66894b4f95e4051be23. https://fortiguard.com/encyclopedia/ips/440594. https://github.com/alibaba/fastjson/wiki/security_update_201703155. https://vulncheck.com/cve/CVE-2017-183496. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-18349.yaml7. https://github.com/h0cksr/Fastjson--CVE-2017-18349-

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.