oss-sec mailing list archives
[CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
From: Jacques Le Roux <jacques.le.roux () les7arts com>
Date: Sun, 21 Mar 2021 14:01:37 +0100
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.06 Description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. Mitigation: Upgrade to at least 17.12.06 or apply the patch at https://github.com/apache/ofbiz-framework/commit/af9ed4e/ Credit: r00t4dm at Cloud-Penetrating Arrow Lab <r00t4dm () gmail com> MagicZero from SGLAB of Legendsec at Qi'anxin Group. Longofo at Knownsec 404 Team References: http://ofbiz.apache.org/download.html#vulnerabilities
Current thread:
- [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI Jacques Le Roux (Mar 21)