GHSA-xjrr-xv9m-4pw5

Suggest an improvement
Source
https://github.com/advisories/GHSA-xjrr-xv9m-4pw5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xjrr-xv9m-4pw5/GHSA-xjrr-xv9m-4pw5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xjrr-xv9m-4pw5
Aliases
Published
2018-10-24T19:42:03Z
Modified
2024-02-16T07:59:10.562257Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Input Validation in alilibaba:fastjson
Details

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

References

Affected packages

Maven / com.alibaba:fastjson

Package

Name
com.alibaba:fastjson
View open source insights on deps.dev
Purl
pkg:maven/com.alibaba/fastjson

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.31

Affected versions

1.*

1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.31.sec01
1.1.31.sec04
1.1.31.sec06
1.1.31.sec07
1.1.31.sec10
1.1.31_noneautotype
1.1.32
1.1.33
1.1.33.android
1.1.33.sec01
1.1.33.sec04
1.1.33.sec06
1.1.33.sec10
1.1.34
1.1.34.android
1.1.34.sec01
1.1.34.sec04
1.1.34.sec06
1.1.34.sec09
1.1.34.sec10
1.1.34_noneautotype
1.1.35
1.1.36
1.1.37
1.1.38
1.1.39
1.1.40
1.1.41
1.1.41.sec01
1.1.41.sec04
1.1.41.sec06
1.1.41.sec10
1.1.42
1.1.42.android
1.1.43
1.1.43.android
1.1.44
1.1.44.android
1.1.45
1.1.45.android
1.1.46
1.1.46.android
1.1.46.sec01
1.1.46.sec04
1.1.46.sec06
1.1.46.sec09
1.1.46.sec10
1.1.46_noneautotype
1.1.47.android
1.1.48.android
1.1.49.android
1.1.50.android
1.1.51.android
1.1.52.android
1.1.53.android
1.1.54.android
1.1.55.android
1.1.56.android
1.1.57.android
1.1.58.android
1.1.59.android
1.1.60.android
1.1.61.android
1.1.62.android
1.1.63.android
1.1.64.android
1.1.65.android
1.1.66.android
1.1.67.android
1.1.68.android
1.1.69.android
1.1.70.android
1.1.70.android_noneautotype
1.1.71.android
1.1.72.android
1.1.73.android
1.1.76.android
1.1.76.android_noneautotype
1.1.77.android_noneautotype
1.2.0
1.2.1
1.2.2
1.2.2.sec01
1.2.2.sec10
1.2.3
1.2.4
1.2.4.sec01
1.2.4.sec04
1.2.4.sec09
1.2.4.sec10
1.2.5
1.2.6
1.2.7
1.2.7.sec01
1.2.7.sec04
1.2.7.sec06
1.2.7.sec09
1.2.7.sec10
1.2.8
1.2.8.sec01
1.2.8.sec04
1.2.8.sec05
1.2.8.sec06
1.2.8.sec09
1.2.8.sec10
1.2.8.sec10_noneautotype
1.2.8_noneautotype
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.13.sec01
1.2.14
1.2.14.sec01
1.2.14.sec10
1.2.15
1.2.16
1.2.16.sec01
1.2.16.sec04
1.2.16.sec10
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.2.25
1.2.25.sec10
1.2.26
1.2.27
1.2.27.sec06
1.2.27.sec09
1.2.27.sec10
1.2.28
1.2.28.odps
1.2.29
1.2.29.sec04
1.2.29.sec06
1.2.29.sec09
1.2.29.sec10
1.2.30

Database specific

{
    "last_known_affected_version_range": "<= 1.2.24"
}

Maven / ro.pippo:pippo-fastjson

Package

Name
ro.pippo:pippo-fastjson
View open source insights on deps.dev
Purl
pkg:maven/ro.pippo/pippo-fastjson

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0

Affected versions

0.*

0.4.0
0.4.1
0.4.2
0.5.0
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
0.9.1
0.10.0

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0