mirror of
https://github.com/0xMarcio/cve.git
synced 2026-04-21 09:56:14 +02:00
0xMarcio
1.9 KiB
1.9 KiB
CVE-2017-18349
Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
POC
Reference
Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/CLincat/vulcat
- https://github.com/Nickel-Angel/lingxi-server
- https://github.com/PAGalaxyLab/VulInfo
- https://github.com/ReAbout/audit-java
- https://github.com/W01fh4cker/LearnFastjsonVulnFromZero-Basic
- https://github.com/bigblackhat/oFx
- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
- https://github.com/happycao/lingxi-server
- https://github.com/hinat0y/Dataset1
- https://github.com/hinat0y/Dataset10
- https://github.com/hinat0y/Dataset11
- https://github.com/hinat0y/Dataset12
- https://github.com/hinat0y/Dataset2
- https://github.com/hinat0y/Dataset3
- https://github.com/hinat0y/Dataset4
- https://github.com/hinat0y/Dataset5
- https://github.com/hinat0y/Dataset6
- https://github.com/hinat0y/Dataset7
- https://github.com/hinat0y/Dataset8
- https://github.com/hinat0y/Dataset9
- https://github.com/junesi513/AVR_Agent
- https://github.com/luckyfuture0177/VULOnceMore
- https://github.com/openx-org/BLEN
- https://github.com/pan2013e/ppt4j
- https://github.com/qiuluo-oss/Tiger