Critical severityNVD Advisory· Published Oct 23, 2018· Updated Sep 17, 2024
CVE-2017-18349
CVE-2017-18349
Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alibaba:fastjsonMaven | < 1.2.31 | 1.2.31 |
ro.pippo:pippo-fastjsonMaven | < 1.12.0 | 1.12.0 |
Affected products
2- ghsa-coords2 versions
< 1.2.31+ 1 more
- (no CPE)range: < 1.2.31
- (no CPE)range: < 1.12.0
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xjrr-xv9m-4pw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18349ghsaADVISORY
- fortiguard.com/encyclopedia/ips/44059ghsax_refsource_MISCWEB
- github.com/pippo-java/pippo/commit/8443377d3c5b35acca190a66894b4f95e4051be2ghsaWEB
- github.com/pippo-java/pippo/issues/466ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.