[java] Add CVE-2018-18240 (#1127)

* Add CVE-2018-18240 * Update 18240.yaml @msrb PTAL * Update 18240.yaml
fabric8-analytics · Feb 5, 2019 · 68b672e · 68b672e
2 parents a1387ac + 7125978
commit 68b672e
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/database/java/2018/18240.yaml b/database/java/2018/18240.yaml
@@ -0,0 +1,22 @@
+---
+cve: 2018-18240
+title: CVE in Pippo
+description: >
+    Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
+cvss_v2: 7.5
+references:
+    - https://github.com/pippo-java/pippo/issues/454
+    - https://github.com/pippo-java/pippo/commit/c6b26551a82d2dd32097fcb17c13c3b830916296
+affected:
+    - groupId: ro.pippo
+      artifactId: pippo-core
+      version:
+        - "<=1.11.0"
+      fixedin:
+        - ">=1.12.0"
+    - groupId: ro.pippo
+      artifactId: pippo-session
+      version:
+        - "<=1.11.0"
+      fixedin:
+        - ">=1.12.0"