CVE-2018-18240 - Vulnerability in Pippo dependency?

[cwings-dvb]

Hi,

I doubt that im the first to report this, but my Defender for Endpoint has detected a vulnerability in Greenshot related to a dependency called Pippo.

Does anyone know for what purpose Pippo is being used? Im trying to determine the current risk and impact. If the exploit relies on a malicious payload, then the only thing I can think of is a user installing a faulty update. However its possible that the vulnerable code is not even being used by Greenshot.

See:
pippo-java/pippo#643

Summary:
Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.

[cwings-dvb]

Someone in pippo-java/pippo#643 said that the Defender detection is a false-positive.

"Greenshot is a .NET application and doesn't use Java or Pippo, this can only be a false positive from defender."

I guess I lack the knowledge on how to check this for myself. Ill close the issue.

[jklingen]

JFYI: it took quite some time, but it seems that the false positive has been fixed in Defender.
Thanks for reporting, anyway.