Description
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Remediation
References
https://github.com/pippo-java/pippo/issues/466
https://github.com/alibaba/fastjson/wiki/security_update_20170315
https://fortiguard.com/encyclopedia/ips/44059
Related Vulnerabilities
CVE-2021-33360 Vulnerability in npm package @stoqey/gnuplot
CVE-2020-28459 Vulnerability in npm package markdown-it-decorate
CVE-2020-36379 Vulnerability in npm package aaptjs
CVE-2020-17527 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2023-46998 Vulnerability in maven package org.webjars.npm:bootbox.js