0.003 Low
EPSS
Percentile
69.9%
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream’s available protection mechanisms to restrict unmarshalling.
github.com/pippo-java/pippo
github.com/pippo-java/pippo/commit/c6b26551a82d2dd32097fcb17c13c3b830916296
github.com/pippo-java/pippo/issues/454
nvd.nist.gov/vuln/detail/CVE-2018-18240