10
CVSSv2

CVE-2017-18349

Published: 23/10/2018 Updated: 28/01/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 891
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

parseObject in Fastjson prior to 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Vulnerability Trend

Affected Products

Vendor Product Versions
PippoPippo1.11.0

Github Repositories

关于灵悉 此代码为灵悉项目服务端代码 [19/05/18] 1、引入Swagger2,生成接口文档,服务启动后访问 2、引入dom4j解析xml,加入简单的token校验 3、诸多配置项,希望有所收获 4、补充,提升fastjson版本号,原因低版本存在漏洞,详见CVE-2017-18349 [18/09/29] 1、rss代码更新,同步app服务 2、动态评论

clocwalk Project code and dependent component analysis tools Dependent installation npm install -g cloc # wwwnpmjscom/package/cloc sudo apt install cloc # Debian, Ubuntu sudo yum install cloc # Red Hat, Fedora sudo dnf install cloc # Fedora 22 or later sudo pacman -S cloc

VulInfo These are the vulnerabilities discovered by Galaxy Lab D-Link DIR-846 CVE-2018-16408: Remote code execution Credit: bigbear CVE-2018-16823:Remote code execution Credit: bigbear CVE-2018-16830:Change admin password Credit: bigbear CVE-2018-16824:Turn off verification Credit: bigbear CVE-2018-16828:Unauthorized syslog file download Credit: bigbear CVE-2018-16827:Un