Remote Code Execution

Affecting ro.pippo:pippo-session artifact, versions [,1.12.0)

high severity

Overview

ro.pippo:pippo-session is a Micro Java Web Framework.

Affected versions of this package are vulnerable to Remote Code Execution. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types.

Remediation

Upgrade ro.pippo:pippo-session to version 1.12.0 or higher.

References

Do your applications use this vulnerable package?

Credit
idealzh
CVE
CVE-2018-18628
CWE
CWE-94
Snyk ID
SNYK-JAVA-ROPIPPO-72565
Disclosed
30 Sep, 2018
Published
06 Nov, 2018