GHSA-xjrr-xv9m-4pw5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xjrr-xv9m-4pw5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xjrr-xv9m-4pw5/GHSA-xjrr-xv9m-4pw5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xjrr-xv9m-4pw5
- Aliases
- Published
- 2018-10-24T19:42:03Z
- Modified
- 2024-02-16T07:59:10.562257Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Input Validation in alilibaba:fastjson
- Details
-
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-20" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:03:42Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-18349
- https://github.com/pippo-java/pippo/issues/466
- https://github.com/pippo-java/pippo/commit/8443377d3c5b35acca190a66894b4f95e4051be2
- https://fortiguard.com/encyclopedia/ips/44059
- https://github.com/advisories/GHSA-xjrr-xv9m-4pw5
- https://github.com/alibaba/fastjson
- https://github.com/alibaba/fastjson/wiki/security_update_20170315
Affected packages
Maven / com.alibaba:fastjson
Package
- Name
- com.alibaba:fastjson
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alibaba/fastjson
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.31
Affected versions
1.*
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.31.sec01
1.1.31.sec04
1.1.31.sec06
1.1.31.sec07
1.1.31.sec10
1.1.31_noneautotype
1.1.32
1.1.33
1.1.33.android
1.1.33.sec01
1.1.33.sec04
1.1.33.sec06
1.1.33.sec10
1.1.34
1.1.34.android
1.1.34.sec01
1.1.34.sec04
1.1.34.sec06
1.1.34.sec09
1.1.34.sec10
1.1.34_noneautotype
1.1.35
1.1.36
1.1.37
1.1.38
1.1.39
1.1.40
1.1.41
1.1.41.sec01
1.1.41.sec04
1.1.41.sec06
1.1.41.sec10
1.1.42
1.1.42.android
1.1.43
1.1.43.android
1.1.44
1.1.44.android
1.1.45
1.1.45.android
1.1.46
1.1.46.android
1.1.46.sec01
1.1.46.sec04
1.1.46.sec06
1.1.46.sec09
1.1.46.sec10
1.1.46_noneautotype
1.1.47.android
1.1.48.android
1.1.49.android
1.1.50.android
1.1.51.android
1.1.52.android
1.1.53.android
1.1.54.android
1.1.55.android
1.1.56.android
1.1.57.android
1.1.58.android
1.1.59.android
1.1.60.android
1.1.61.android
1.1.62.android
1.1.63.android
1.1.64.android
1.1.65.android
1.1.66.android
1.1.67.android
1.1.68.android
1.1.69.android
1.1.70.android
1.1.70.android_noneautotype
1.1.71.android
1.1.72.android
1.1.73.android
1.1.76.android
1.1.76.android_noneautotype
1.1.77.android_noneautotype
1.2.0
1.2.1
1.2.2
1.2.2.sec01
1.2.2.sec10
1.2.3
1.2.4
1.2.4.sec01
1.2.4.sec04
1.2.4.sec09
1.2.4.sec10
1.2.5
1.2.6
1.2.7
1.2.7.sec01
1.2.7.sec04
1.2.7.sec06
1.2.7.sec09
1.2.7.sec10
1.2.8
1.2.8.sec01
1.2.8.sec04
1.2.8.sec05
1.2.8.sec06
1.2.8.sec09
1.2.8.sec10
1.2.8.sec10_noneautotype
1.2.8_noneautotype
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.13.sec01
1.2.14
1.2.14.sec01
1.2.14.sec10
1.2.15
1.2.16
1.2.16.sec01
1.2.16.sec04
1.2.16.sec10
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.2.25
1.2.25.sec10
1.2.26
1.2.27
1.2.27.sec06
1.2.27.sec09
1.2.27.sec10
1.2.28
1.2.28.odps
1.2.29
1.2.29.sec04
1.2.29.sec06
1.2.29.sec09
1.2.29.sec10
1.2.30
Maven / ro.pippo:pippo-fastjson
Package
- Name
- ro.pippo:pippo-fastjson
- View open source insights on deps.dev
- Purl
- pkg:maven/ro.pippo/pippo-fastjson