[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation u
From: Jacques Le Roux <jacques.le.roux () les7arts ! com>
Date: 2021-03-21 13:01:37
Message-ID: ab4895c3-fe33-99c7-6182-0d4aa05fff32 () les7arts ! com
[Download RAW message or body]
Severity:
High
Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz versions prior to 17.12.06
Description:
Apache OFBiz has unsafe deserialization prior to 17.12.06.
An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
Mitigation:
Upgrade to at least 17.12.06
or apply the patch at https://github.com/apache/ofbiz-framework/commit/af9ed4e/
Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm@gmail.com>
MagicZero from SGLAB of Legendsec at Qi'anxin Group.
Longofo at Knownsec 404 Team
References:
http://ofbiz.apache.org/download.html#vulnerabilities
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic