CVE-2018-18628

CRITICAL

Pippo < 1.12.0 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution.

References (1)

[Exploit, Patch, Third Party Advisory] https://github.com/pippo-java/pippo/issues/458

Scores

CVSS v3 9.8

EPSS 0.0439

EPSS Percentile 88.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

pippo/pippo

ro.pippo/pippo-core < 1.12.0Maven

Timeline

Published Oct 23, 2018

Tracked Since Feb 18, 2026