Vulnerabilities > CVE-2018-18628 - Deserialization of Untrusted Data vulnerability in Pippo 1.11.0

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

pippo

CWE-502

critical

NVD

Published: 2018-10-23

Updated: 2019-01-28

Summary

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Pippo Pippo Pippo 1.11.0	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://github.com/pippo-java/pippo/issues/458