You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Jacques Le Roux <jl...@apache.org> on 2022/09/02 06:20:35 UTC

Apache OFBiz - Regular Expression Denial of Service (ReDoS) [CVE-2022-29158]

Severity:
High

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 18.12.06

Description:
Apache OFBiz up to version 18.12.05 is vulnerable to Regular
Expression Denial of Service (ReDoS) in the way it handles URLs
provided by external, unauthenticated users.

Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

Credit:
Tony Torralba and Joseph Farebrother from the GitHub CodeQL team

References:
http://ofbiz.apache.org/download.html#vulnerabilities