Arbitrary Code Execution via Crafted JSON Request in Fastjson (CVE-2020-10672)

Arbitrary Code Execution via Crafted JSON Request in Fastjson (CVE-2020-10672)

CVE-2017-18349 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Learn more about our Web Application Penetration Testing UK.