9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-18349

GHSA ID

GHSA-xjrr-xv9m-4pw5

EPSS Score

0.986%

CWE

CWE-20

Published

10/24/2018

Updated

9/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-18349

CVE-2017-18349: Improper Input Validation in alilibaba:fastjson

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-18349

GHSA ID

GHSA-xjrr-xv9m-4pw5

EPSS Score

0.986%

CWE

CWE-20

Published

10/24/2018

Updated

9/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.alibaba:fastjson	maven	<= 1.2.24	1.2.31
ro.pippo:pippo-fastjson	maven	< 1.12.0	1.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from Fastjson's parseObject function not properly validating '@type' annotations, allowing JNDI injection (CWE-20). In Pippo's implementation, the FastjsonEngine.fromString method directly uses this vulnerable parseObject for request body deserialization. The exploit demonstrates this by sending a crafted JSON payload with 'rmi://' URI in dataSourceName field, which gets deserialized through these functions. The patch in Pippo (commit 8443377) upgraded Fastjson to 1.2.51 which introduced autoType checking and validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*rs*O*j**t in **stjson ***or* *.*.**, *s us** in **stjson*n*in* in Pippo *.**.* *n* ot**r pro*u*ts, *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** JSON r*qu*st, *s **monstr*t** *y * *r**t** rmi:// URI in t** **t*Sour**N*m* *i*l* o*

Reasoning

T** *or* vuln*r**ility st*ms *rom **stjson's `p*rs*O*j**t` *un*tion not prop*rly v*li**tin* '@typ*' *nnot*tions, *llowin* JN*I inj**tion (*W*-**). In Pippo's impl*m*nt*tion, t** `**stjson*n*in*.*romStrin*` m*t*o* *ir**tly us*s t*is vuln*r**l* `p*rs*O

9.8

Basic Information

Concerned about an active attack path?

CVE-2017-18349: Improper Input Validation in alilibaba:fastjson

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI