Plattform
java
Komponente
ro.pippo:pippo-core
Behoben in
1.12.0
CVE-2018-18628 describes an Insecure Deserialization vulnerability affecting Pippo-Core versions up to 1.9.0. This flaw allows attackers to execute arbitrary code on a vulnerable system by manipulating serialized objects within PIPPO_SESSION cookies. The vulnerability was published on October 24, 2018, and a fix is available in version 1.12.0.
The impact of CVE-2018-18628 is severe, enabling remote code execution (RCE). An attacker can craft a malicious serialized object, base64 encode it, and embed it within a PIPPO_SESSION cookie. When a user with the vulnerable Pippo-Core version receives and processes this cookie, the deserialization process will trigger the execution of the attacker's code. This could lead to complete system compromise, data theft, or denial of service. The ease of exploitation, combined with the potential for RCE, makes this a high-priority vulnerability. This vulnerability shares similarities with other deserialization flaws where untrusted data is directly deserialized without proper validation, potentially leading to arbitrary code execution.
CVE-2018-18628 was publicly disclosed on October 24, 2018. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for RCE make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of remote code execution.
Applications and systems utilizing Pippo-Core versions 1.9.0 and earlier are at risk. This includes applications that rely on Pippo-Core for session management or data serialization. Shared hosting environments where multiple applications share the same Pippo-Core library are particularly vulnerable, as a compromise in one application could potentially affect others.
• java / server:
# Check for Pippo-Core versions prior to 1.12.0
find / -name "pippo-core*.jar" -print0 | xargs -0 jar -vf | grep "Created-By: 1.\[.*\]"• generic web:
# Check for PIPPO_SESSION cookie in access logs
grep -i 'PIPPO_SESSION=' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
4.38% (89% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2018-18628 is to upgrade Pippo-Core to version 1.12.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on the PIPPO_SESSION cookie to prevent the injection of potentially malicious data. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block deserialization attacks can also provide a layer of defense. Monitor application logs for unusual deserialization activity or errors related to object creation. After upgrading, confirm the fix by attempting to send a known malicious cookie and verifying that it is rejected or handled safely.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2018-18628 is a critical vulnerability in Pippo-Core versions up to 1.9.0 that allows attackers to execute arbitrary code by manipulating serialized objects in PIPPO_SESSION cookies.
You are affected if your application uses Pippo-Core version 1.9.0 or earlier. Check your dependencies to determine if you are using a vulnerable version.
Upgrade Pippo-Core to version 1.12.0 or later to address the Insecure Deserialization vulnerability. Implement input validation on the PIPPO_SESSION cookie as a temporary mitigation.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation and potential for RCE make it a likely target.
Refer to the Pippo-Core project's release notes and security advisories for details on this vulnerability and the corresponding fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.