CVE-2017-18349

Name of the Vulnerable Software and Affected Versions: Fastjson versions prior to 1.2.25 Pippo version 1.11.0

Description: The issue allows remote attackers to execute arbitrary code via a crafted JSON request. This can be achieved by sending a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Recommendations: For Fastjson versions prior to 1.2.25, update to version 1.2.25 or later to resolve the issue. For Pippo version 1.11.0, consider disabling the parseObject function in FastjsonEngine as a temporary workaround until a patch is available.