Vulnerability Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alibaba | Fastjson | < 1.2.25 |
| Pippo | Pippo | 1.11.0 |
Related Weaknesses (CWE)
References
- https://fortiguard.com/encyclopedia/ips/44059MitigationThird Party Advisory
- https://github.com/alibaba/fastjson/wiki/security_update_20170315MitigationThird Party Advisory
- https://github.com/pippo-java/pippo/issues/466ExploitThird Party Advisory
- https://fortiguard.com/encyclopedia/ips/44059MitigationThird Party Advisory
- https://github.com/alibaba/fastjson/wiki/security_update_20170315MitigationThird Party Advisory
- https://github.com/pippo-java/pippo/issues/466ExploitThird Party Advisory
FAQ
What is CVE-2017-18349?
CVE-2017-18349 is a vulnerability with a CVSS score of 9.8 (CRITICAL). parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a ...
How severe is CVE-2017-18349?
CVE-2017-18349 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-18349?
Check the references section above for vendor advisories and patch information. Affected products include: Alibaba Fastjson, Pippo Pippo.