CVE-2017-18349

🗓️ 23 Oct 2018 20:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov👁 151 Views🌐 WEB

CVE-2017-18349 parseObject in Fastjson before 1.2.25, allows remote code execution via crafted JSON request mishandled in AjaxApplication.java

Reporter	Title	Published	Views	Family All 17
GithubExploit	Exploit for Improper Input Validation in Alibaba Fastjson	29 May 202609:40	–	githubexploit
Circl	CVE-2017-18349	23 Dec 202400:00	–	circl
CNVD	Pippo FastjsonEngine Fastjson Arbitrary Code Execution Vulnerability	24 Oct 201800:00	–	cnvd
Cvelist	CVE-2017-18349	23 Oct 201820:00	–	cvelist
EUVD	EUVD-2026-1694	9 Jan 202606:43	–	euvd
Github Security Blog	Improper Input Validation in alilibaba:fastjson	24 Oct 201819:42	–	github
GitLab Advisory Database	Improper Input Validation	23 Oct 201800:00	–	gitlab
Nuclei	Fastjson Insecure Deserialization - Remote Code Execution	2 Jun 202610:14	–	nuclei
NVD	CVE-2017-18349	23 Oct 201820:29	–	nvd
OSV	GHSA-XJRR-XV9M-4PW5 Improper Input Validation in alilibaba:fastjson	24 Oct 201819:42	–	osv

NVD

Node

pippo pippoMatch1.11.0

Source	Link
github	www.github.com/pippo-java/pippo/issues/466
fortiguard	www.fortiguard.com/encyclopedia/ips/44059
github	www.github.com/alibaba/fastjson/wiki/security_update_20170315

Parameter	Position	Path	Description	CWE
@type	request body	/	Deserialization uses Fastjson with @type to trigger type metadata processing.	CWE-20
data.@type	nested	/	Nested gadget payload to bypass fixed-type mapping and reach deserialization gadget (JdbcRowSetImpl) for potential RCE.	CWE-20
data.dataSourceName	nested	/	Nested gadget payload to bypass fixed-type mapping and reach deserialization gadget (JdbcRowSetImpl) for potential RCE.	CWE-20

21 Nov 2024 03:19Current

9.5High risk

Vulners AI Score9.5

CVSS 39.8

CVSS 210

EPSS0.8869