Vulnerabilities > Alibaba > Critical
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-10 | CVE-2022-25845 | Deserialization of Untrusted Data vulnerability in multiple products The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. | 9.8 |
2018-10-23 | CVE-2017-18349 | Improper Input Validation vulnerability in multiple products parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java. | 10.0 |