CVE-2018-18628

Name of the Vulnerable Software and Affected Versions Pippo version 1.11.0

Description An issue was discovered where the SerializationSessionDataTranscoder.decode() function calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. This allows an attacker to create a malicious object, base64 encode it, and place it in the PIPP SESSION field of a cookie, potentially leading to remote code execution when the cookie is sent.

Recommendations For Pippo version 1.11.0, as a temporary workaround, consider disabling the SerializationSessionDataTranscoder.decode() function until a patch is available. Restrict access to the ObjectInputStream.readObject() method to minimize the risk of exploitation. Avoid using the PIPP SESSION field in cookies until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.