PT-2018-14375 · Pippo · Pippo
Idealzho
·
Published
2018-10-11
·
Updated
2022-05-13
·
CVE-2018-18240
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pippo versions prior to 1.11.1
Description
The issue allows remote code execution via a command to java.lang.ProcessBuilder. This is because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
Recommendations
For versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the XstreamEngine component until a patch is available.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pippo