Plateforme
java
Composant
ro.pippo:pippo-core
Corrigé dans
1.12.0
CVE-2018-18628 describes an Insecure Deserialization vulnerability affecting Pippo-Core versions up to 1.9.0. This flaw allows attackers to execute arbitrary code on a vulnerable system by manipulating serialized objects within PIPPO_SESSION cookies. The vulnerability was published on October 24, 2018, and a fix is available in version 1.12.0.
The impact of CVE-2018-18628 is severe, enabling remote code execution (RCE). An attacker can craft a malicious serialized object, base64 encode it, and embed it within a PIPPO_SESSION cookie. When a user with the vulnerable Pippo-Core version receives and processes this cookie, the deserialization process will trigger the execution of the attacker's code. This could lead to complete system compromise, data theft, or denial of service. The ease of exploitation, combined with the potential for RCE, makes this a high-priority vulnerability. This vulnerability shares similarities with other deserialization flaws where untrusted data is directly deserialized without proper validation, potentially leading to arbitrary code execution.
CVE-2018-18628 was publicly disclosed on October 24, 2018. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for RCE make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of remote code execution.
Applications and systems utilizing Pippo-Core versions 1.9.0 and earlier are at risk. This includes applications that rely on Pippo-Core for session management or data serialization. Shared hosting environments where multiple applications share the same Pippo-Core library are particularly vulnerable, as a compromise in one application could potentially affect others.
• java / server:
# Check for Pippo-Core versions prior to 1.12.0
find / -name "pippo-core*.jar" -print0 | xargs -0 jar -vf | grep "Created-By: 1.\[.*\]"• generic web:
# Check for PIPPO_SESSION cookie in access logs
grep -i 'PIPPO_SESSION=' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
4.38% (percentile 89%)
Vecteur CVSS
The primary mitigation for CVE-2018-18628 is to upgrade Pippo-Core to version 1.12.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on the PIPPO_SESSION cookie to prevent the injection of potentially malicious data. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block deserialization attacks can also provide a layer of defense. Monitor application logs for unusual deserialization activity or errors related to object creation. After upgrading, confirm the fix by attempting to send a known malicious cookie and verifying that it is rejected or handled safely.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2018-18628 is a critical vulnerability in Pippo-Core versions up to 1.9.0 that allows attackers to execute arbitrary code by manipulating serialized objects in PIPPO_SESSION cookies.
You are affected if your application uses Pippo-Core version 1.9.0 or earlier. Check your dependencies to determine if you are using a vulnerable version.
Upgrade Pippo-Core to version 1.12.0 or later to address the Insecure Deserialization vulnerability. Implement input validation on the PIPPO_SESSION cookie as a temporary mitigation.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation and potential for RCE make it a likely target.
Refer to the Pippo-Core project's release notes and security advisories for details on this vulnerability and the corresponding fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.