oss-sec mailing list archives

Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371)

From: Jacques Le Roux <jleroux () apache org>
Date: Fri, 2 Sep 2022 08:26:10 +0200

Severity:
High

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 18.12.06

Description:
The Birt viewer version 4.5.0 has a security issue that allows this exploit.
We waited long for https://github.com/eclipse/birt/issues/625
to resolve but eventually decided to release OFBiz 18.12.06 without
the Birt component

Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-...

Credit:
npodotykin () ptsecurity com

References:
http://ofbiz.apache.org/download.html#vulnerabilities

Current thread:

Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371) Jacques Le Roux (Sep 02)
- Re: Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371) Jacques Le Roux (Sep 03)
- <Possible follow-ups>
- Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371) Jacques Le Roux (Sep 08)