Open chewgun opened 2 months ago
We also encountered this today.
It seem the Pippo we have is part of the app Greenshot. Greenshot has not been updated since 2017.
Greenshot is a .NET application and doesn't use Java or Pippo, this can only be a false positive from defender.
JFYI it has been brought to our attention that
Microsoft added the Pippo inaccuracy to the list of updated vulnerabilities. Vulnerability support in Microsoft Defender Vulnerability Management - Microsoft Defender Vulnerability Management
I hope that the Defender alerts will disappear as a result.
Hello,
We just saw today (as we installed Greenshot), a vulnerability about Pippo.
Severity level is critical
Summary: Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling.
Impact: If a threat were to exploit this vulnerability, they could execute arbitrary code on the system, potentially leading to unauthorized access, data breaches, and further compromise of the affected system.
Remediation: Upgrade to Pippo version 1.11.1 or later.
More Details can be found here: https://nvd.nist.gov/vuln/detail/CVE-2018-18240 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H