'[oss-security] [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation u'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation u
From:       "jleroux () apache ! org" <jleroux () apache ! org>
Date:       2021-04-27 19:00:03
Message-ID: 4f613530-d896-24c0-c500-19ce517dbd3a () apache ! org
[Download RAW message or body]

Severity:
High, possible RCE

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 17.12.07

Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack

Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at https://issues.apache.org/jira/browse/OFBIZ-12216

Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm@gmail.com>
asd of MoyunSec V-Lab <root@thiscode.cc>
赖涵 <1044309102@qq.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic