CVE-2018-18628

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.
References
Link Resource
https://github.com/pippo-java/pippo/issues/458 Exploit Patch Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:pippo:pippo:1.11.0:*:*:*:*:*:*:*

Information

Published : 2018-10-23 13:29

Updated : 2019-01-28 13:13


NVD link : CVE-2018-18628

Mitre link : CVE-2018-18628


JSON object : View

CWE
CWE-502

Deserialization of Untrusted Data

Advertisement

dedicated server usa

Products Affected

pippo

  • pippo