Miggo Logo

CVE-2017-18349: Improper Input Validation in alilibaba:fastjson

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.986%
Published
10/24/2018
Updated
9/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.alibaba:fastjsonmaven<= 1.2.241.2.31
ro.pippo:pippo-fastjsonmaven< 1.12.01.12.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from Fastjson's parseObject function not properly validating '@type' annotations, allowing JNDI injection (CWE-20). In Pippo's implementation, the FastjsonEngine.fromString method directly uses this vulnerable parseObject for request body deserialization. The exploit demonstrates this by sending a crafted JSON payload with 'rmi://' URI in dataSourceName field, which gets deserialized through these functions. The patch in Pippo (commit 8443377) upgraded Fastjson to 1.2.51 which introduced autoType checking and validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*rs*O*j**t in **stjson ***or* *.*.**, *s us** in **stjson*n*in* in Pippo *.**.* *n* ot**r pro*u*ts, *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** JSON r*qu*st, *s **monstr*t** *y * *r**t** rmi:// URI in t** **t*Sour**N*m* *i*l* o*

Reasoning

T** *or* vuln*r**ility st*ms *rom **stjson's `p*rs*O*j**t` *un*tion not prop*rly v*li**tin* '@typ*' *nnot*tions, *llowin* JN*I inj**tion (*W*-**). In Pippo's impl*m*nt*tion, t** `**stjson*n*in*.*romStrin*` m*t*o* *ir**tly us*s t*is vuln*r**l* `p*rs*O