CVE-2017-18349

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-18349
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18349.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-18349
Aliases
Published
2018-10-23T20:29:00.263Z
Modified
2026-04-11T04:38:02.771294Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

References

Affected packages

Git / github.com/alibaba/fastjson

Affected ranges

Type
GIT
Repo
https://github.com/alibaba/fastjson
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d9bc118f8f91deb696e7265f1d6a4af25880364f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2.25"
        }
    ]
}
Type
GIT
Repo
https://github.com/pippo-java/pippo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a2eb20fd813641e343f1a319b5b4b7855b581fec
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.11.0"
        }
    ]
}

Affected versions

1.*
1.1.20
1.1.21
1.1.22
1.1.23
1.1.25
1.1.26
1.1.27
1.1.31
1.1.32
1.1.33
1.1.35
1.1.36
1.1.42
1.2.0
1.2.1
1.2.10
1.2.11_release
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.2
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.2.4
1.2.6
1.2.7
1.2.8
1.2.9
pippo-parent-0.*
pippo-parent-0.1.0
pippo-parent-0.2.0
pippo-parent-0.3.0
pippo-parent-0.4.0
release-0.*
release-0.10.0
release-0.4.2
release-0.5.0
release-0.6.0
release-0.6.1
release-0.7.0
release-0.8.0
release-0.9.0
release-0.9.1
release-1.*
release-1.0.0
release-1.1.0
release-1.10.0
release-1.11.0
release-1.2.0
release-1.3.0
release-1.4.0
release-1.5.0
release-1.6.0
release-1.7.0
release-1.8.0
release-1.9.0

Database specific

vanir_signatures_modified 
"2026-04-11T04:38:02Z"
vanir_signatures 
[
    {
        "id": "CVE-2017-18349-755bfd69",
        "target": {
            "file": "src/main/java/com/alibaba/fastjson/util/TypeUtils.java",
            "function": "addBaseClassMappings"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "259482791545784874218650089392929453428",
            "length": 2462.0
        },
        "signature_type": "Function",
        "source": "https://github.com/alibaba/fastjson/commit/d9bc118f8f91deb696e7265f1d6a4af25880364f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2017-18349-7b1e779e",
        "target": {
            "file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "6463697299556542927808781376056503372",
                "201275771541883744973533833935665962205",
                "189240504328428240932588970532724036232",
                "43474646965518383709760935116987632728",
                "187927941506510643786112547406573202282",
                "62227061352496922917485310474228338266",
                "87452775326685901289693920756949413321",
                "294468533860166947624446944572711095371",
                "62388640950824877391530633739139524606",
                "297714496751548969287630883056981386070",
                "331037084458401514036337456020661601810"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/alibaba/fastjson/commit/d9bc118f8f91deb696e7265f1d6a4af25880364f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2017-18349-8002b077",
        "target": {
            "file": "src/test/java/com/alibaba/json/bvt/writeClassName/WriteClassNameTest_Collection.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "165770401209810732077640163894549307371",
                "128006272351809972047575108058773416101",
                "163691771881932937813037321011886016067",
                "68314709251382234216608956792815974932"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/alibaba/fastjson/commit/d9bc118f8f91deb696e7265f1d6a4af25880364f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2017-18349-8dd924d1",
        "target": {
            "file": "src/main/java/com/alibaba/fastjson/util/TypeUtils.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "222461951534141154366471203678530389110",
                "69004162825999077803185095297469866052",
                "69814211049230247572705741608398291800",
                "307268205764531919555922602854819998921",
                "202927005367681576401463143430217171552",
                "239730377404506400106046537531610401116",
                "250850352046871806782391617956292099335",
                "169385827739559897208196565453747764645",
                "167233957634760835519785540254985932723"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/alibaba/fastjson/commit/d9bc118f8f91deb696e7265f1d6a4af25880364f",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2017-18349-e363a974",
        "target": {
            "file": "src/test/java/com/alibaba/json/bvt/writeClassName/WriteClassNameTest_Collection.java",
            "function": "setUp"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "134398788421323971788297794873978615045",
            "length": 146.0
        },
        "signature_type": "Function",
        "source": "https://github.com/alibaba/fastjson/commit/d9bc118f8f91deb696e7265f1d6a4af25880364f",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18349.json"