PT-2018-14375 · Pippo · Pippo

Idealzho

Publicado

2018-10-11

Atualizado

2022-05-13

CVE-2018-18240

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pippo versions prior to 1.11.1

Description The issue allows remote code execution via a command to java.lang.ProcessBuilder. This is because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.

Recommendations For versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XstreamEngine component until a patch is available.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2018-18240

GHSA-H892-X453-86WC

Produtos afetados

Pippo

PT-2018-14375 · Pippo · Pippo

CVE-2018-18240

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6