### [CVE-2017-18349](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18349)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brightgreen)

### Description

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

### POC

#### Reference
- https://fortiguard.com/encyclopedia/ips/44059

#### Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/CLincat/vulcat
- https://github.com/Nickel-Angel/lingxi-server
- https://github.com/PAGalaxyLab/VulInfo
- https://github.com/ReAbout/audit-java
- https://github.com/W01fh4cker/LearnFastjsonVulnFromZero-Basic
- https://github.com/bigblackhat/oFx
- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
- https://github.com/happycao/lingxi-server
- https://github.com/hinat0y/Dataset1
- https://github.com/hinat0y/Dataset10
- https://github.com/hinat0y/Dataset11
- https://github.com/hinat0y/Dataset12
- https://github.com/hinat0y/Dataset2
- https://github.com/hinat0y/Dataset3
- https://github.com/hinat0y/Dataset4
- https://github.com/hinat0y/Dataset5
- https://github.com/hinat0y/Dataset6
- https://github.com/hinat0y/Dataset7
- https://github.com/hinat0y/Dataset8
- https://github.com/hinat0y/Dataset9
- https://github.com/junesi513/AVR_Agent
- https://github.com/luckyfuture0177/VULOnceMore
- https://github.com/openx-org/BLEN
- https://github.com/pan2013e/ppt4j
- https://github.com/qiuluo-oss/Tiger