Maven package
ro.pippo/pippo-core
pkg:maven/ro.pippo/pippo-core
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-20059 | — | < 1.12.0 | 1.12.0 | Dec 11, 2018 | jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. | ||
| CVE-2018-18628 | — | < 1.12.0 | 1.12.0 | Oct 23, 2018 | An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it | ||
| CVE-2018-18240 | — | < 1.12.0 | 1.12.0 | Oct 11, 2018 | Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling. |
- CVE-2018-20059Dec 11, 2018affected < 1.12.0fixed 1.12.0
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
- CVE-2018-18628Oct 23, 2018affected < 1.12.0fixed 1.12.0
An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it
- CVE-2018-18240Oct 11, 2018affected < 1.12.0fixed 1.12.0
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.