You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacopo Cappellato <ja...@apache.org> on 2013/07/20 18:03:18 UTC
[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
Vendor:
The Apache Software Foundation
Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01
Description:
Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.
Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02
Credit:
This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
References:
http://ofbiz.apache.org/download.html#vulnerabilities
Re: [CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
Posted by Scott Gray <sc...@hotwaxmedia.com>.
I just want to bump this on the lists since that Douglas Cook idiot was causing a distraction.
It's very important that everyone with the OFBiz versions mentioned below (and trunk checkouts prior to r1500772) either upgrade or patch their installations as soon as possible. I cannot stress this enough, do it now.
Regards
Scott
On 21/07/2013, at 4:03 AM, Jacopo Cappellato wrote:
> CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache OFBiz 10.04.01 to 10.04.05
> Apache OFBiz 11.04.01 to 11.04.02
> Apache OFBiz 12.04.01
>
> Description:
>
> Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.
>
> Mitigation:
> 10.04.x users should upgrade to 10.04.06
> 11.04.x users should upgrade to 11.04.03
> 12.04.01 users should upgrade to 12.04.02
>
> Credit:
> This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
>
> References:
>
> http://ofbiz.apache.org/download.html#vulnerabilities
Re: [CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
Posted by Scott Gray <sc...@hotwaxmedia.com>.
I just want to bump this on the lists since that Douglas Cook idiot was causing a distraction.
It's very important that everyone with the OFBiz versions mentioned below (and trunk checkouts prior to r1500772) either upgrade or patch their installations as soon as possible. I cannot stress this enough, do it now.
Regards
Scott
On 21/07/2013, at 4:03 AM, Jacopo Cappellato wrote:
> CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache OFBiz 10.04.01 to 10.04.05
> Apache OFBiz 11.04.01 to 11.04.02
> Apache OFBiz 12.04.01
>
> Description:
>
> Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.
>
> Mitigation:
> 10.04.x users should upgrade to 10.04.06
> 11.04.x users should upgrade to 11.04.03
> 12.04.01 users should upgrade to 12.04.02
>
> Credit:
> This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
>
> References:
>
> http://ofbiz.apache.org/download.html#vulnerabilities
RE: [CVE-2013-2250] Apache OFBiz Nested expression evaluation
allows remote users to execute arbitrary UEL functions in OFBiz
Posted by SirDouglas Cook <si...@hotmail.com>.
Please make the emails to sirdouglascook@hotmail.com stop...
and remove my email addresses from
*gregory.draperi@gmail.com
*security@apache.org
*dev@ofbiz.apache.org
*user@ofbiz.apache.org
*announce@apache.org
*full-disclosure@lists.grok.org.uk
*bugtraq@securityfocus.com
This has been over a month, I am fed up.. I have asked everyone .. everywhere..
I shouldn't have to contact ISP's and Spam forums to shut you down... nor should anyone else.
But for &*^& sakes... remove me from your data bases NOW.
Thank you,
Doug
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this message and any attachments from your system. Thank you.
Avertissement concernant la confidentialité : Ce message et toutes les pièces jointes s'y rattachant sont destinés uniquement et aux fins du destinataire(s) prévu(s), sont confidentiels et peuvent être protégés par le privilège. Si vous n'êtes pas le destinataire prévu, nous vous avisons, par la présente, que toute revue, retransmission, conversion en sortie papier, copie ainsi que toute circulation ou utilisation autre que celle envisagée pour ce message et pour toutes ses pièces jointes sont strictement interdites. Si vous n'êtes pas le destinataire prévu, veuillez immédiatement en aviser l'expéditeur par retour de courrier électronique et supprimez ce message ainsi que toutes les pièces jointes de votre système. Merci.
> From: jacopoc@apache.org
> Subject: [CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
> Date: Sat, 20 Jul 2013 18:03:18 +0200
> To: gregory.draperi@gmail.com; security@apache.org; dev@ofbiz.apache.org; user@ofbiz.apache.org; announce@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>
> CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache OFBiz 10.04.01 to 10.04.05
> Apache OFBiz 11.04.01 to 11.04.02
> Apache OFBiz 12.04.01
>
> Description:
>
> Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.
>
> Mitigation:
> 10.04.x users should upgrade to 10.04.06
> 11.04.x users should upgrade to 11.04.03
> 12.04.01 users should upgrade to 12.04.02
>
> Credit:
> This issue was discovered by Grégory Draperi (gregory.draperi@gmail.com).
>
> References:
>
> http://ofbiz.apache.org/download.html#vulnerabilities