CVE-2017-18349: Improper Input Validation in alilibaba:fastjson
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.986%
CWE
Published
10/24/2018
Updated
9/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.alibaba:fastjson | maven | <= 1.2.24 | 1.2.31 |
ro.pippo:pippo-fastjson | maven | < 1.12.0 | 1.12.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability stems from Fastjson's parseObject
function not properly validating '@type' annotations, allowing JNDI injection (CWE-20). In Pippo's implementation, the FastjsonEngine.fromString
method directly uses this vulnerable parseObject
for request body deserialization. The exploit demonstrates this by sending a crafted JSON payload with 'rmi://' URI in dataSourceName field, which gets deserialized through these functions. The patch in Pippo (commit 8443377) upgraded Fastjson to 1.2.51 which introduced autoType checking and validation.