You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by "jleroux@apache.org" <jl...@apache.org> on 2021/04/27 18:59:56 UTC
[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java
serialisation using RMI
Severity:
High, possible RCE
Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz versions prior to 17.12.07
Description:
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
An unauthenticated user can perform a RCE attack
Mitigation:
Upgrade to at least 17.12.07
or apply one of the patches at https://issues.apache.org/jira/browse/OFBIZ-12216
Credit:
r00t4dm at Cloud-Penetrating Arrow Lab <r0...@gmail.com>
asd of MoyunSec V-Lab <ro...@thiscode.cc>
赖涵 <10...@qq.com>
References:
http://ofbiz.apache.org/download.html#vulnerabilities