mirror of
https://github.com/0xMarcio/cve.git
synced 2025-06-19 17:30:12 +00:00
1.7 KiB
1.7 KiB
CVE-2017-18349
Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
POC
Reference
Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/CLincat/vulcat
- https://github.com/Nickel-Angel/lingxi-server
- https://github.com/PAGalaxyLab/VulInfo
- https://github.com/ReAbout/audit-java
- https://github.com/W01fh4cker/LearnFastjsonVulnFromZero-Basic
- https://github.com/bigblackhat/oFx
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
- https://github.com/happycao/lingxi-server
- https://github.com/hinat0y/Dataset1
- https://github.com/hinat0y/Dataset10
- https://github.com/hinat0y/Dataset11
- https://github.com/hinat0y/Dataset12
- https://github.com/hinat0y/Dataset2
- https://github.com/hinat0y/Dataset3
- https://github.com/hinat0y/Dataset4
- https://github.com/hinat0y/Dataset5
- https://github.com/hinat0y/Dataset6
- https://github.com/hinat0y/Dataset7
- https://github.com/hinat0y/Dataset8
- https://github.com/hinat0y/Dataset9
- https://github.com/luckyfuture0177/VULOnceMore
- https://github.com/openx-org/BLEN
- https://github.com/pan2013e/ppt4j
- https://github.com/qiuluo-oss/Tiger