CVE-2019-0189

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E
https://s.apache.org/hsn2g	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E
https://s.apache.org/hsn2g	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:16

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E -~~	() https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E -
References	~~() https://s.apache.org/hsn2g - Mailing List, Vendor Advisory~~	() https://s.apache.org/hsn2g - Mailing List, Vendor Advisory

07 Nov 2023, 03:01

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f@%3Ccommits.ofbiz.apache.org%3E', 'name': '[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 & CVE-2019-12425', 'tags': [], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E - () https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E -

Information

Published : 2019-09-11 21:15

Updated : 2024-11-21 04:16

NVD link : CVE-2019-0189

Mitre link : CVE-2019-0189

CVE.ORG link : CVE-2019-0189

JSON object : View

Products Affected

apache

ofbiz

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2019-0189", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-09-11T21:15:10.953", "references": [{"url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E", "source": "security@apache.org"}, {"url": "https://s.apache.org/hsn2g", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://s.apache.org/hsn2g", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"}, {"lang": "es", "value": "Es conocido que java.io.ObjectInputStream causa problemas de serializaci\u00f3n del Java. Este problema aqu\u00ed est\u00e1 expuesto por la URL \"webtools/control/httpService\" y usa la deserializaci\u00f3n de Java para llevar a cabo la ejecuci\u00f3n del c\u00f3digo. En HttpEngine, el valor del par\u00e1metro request \"serviceContext\" es pasado al m\u00e9todo \"deserialize\" de \"XmlSerializer\". Apache Ofbiz est\u00e1 afectado por dos dependencias diferentes: \"commons-beanutils\" y una versi\u00f3n obsoleta de \"commons-fileupload\", Mitigaci\u00f3n: Actualice a la versi\u00f3n 16.11.06 o aplique manualmente las confirmaciones de OFBIZ-10770 y OFBIZ-10837 en la derivaci\u00f3n 16"}], "lastModified": "2024-11-21T04:16:26.693", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DC9625E-4C35-47F3-A374-CA1DC47BADA0", "versionEndExcluding": "16.11.06", "versionStartIncluding": "16.11.01"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

9.8 /10