Exploit for Improper Input Validation in Alibaba Fastjson

Lab 6-CVE-2017-18349 I. SYSTEM ANALYSIS Attack S...

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

CVE-2017-18349

creationtimestamp| type| source ---|---|--- 2024-12-23 00:00:00+00:00| seen| The Shadowserver honeypot/common-vulnerabilities - 2024-12-23 2024-12-27 00:00:00+00:00| seen| The Shadowserver honeypot/common-vulnerabilities - 2024-12-27 2024-12-30 00:00:00+00:00| seen| The Shadowserver...

io.andromeda:lyricist (>=0.2.3 <=0.2.4), io.andromeda:lyricist-demo (=0.2.3) +5 more potentially affected by CVE-2017-18349 via ro.pippo:pippo-fastjson (>=0.4.0 <=0.9.1)

ro.pippo:pippo-fastjson MAVEN version =0.4.0, =0.2.3, =0.6.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.6.1 Source cves: CVE-2017-18349 Source advisory: OSV:GHSA-XJRR-XV9M-4PW5...

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...