CVE-2016-2170 — Improper Input Validation in Apache Ofbiz

CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

13.6%

top 5.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz

Timeline

PublishedApr 12

Latest updateMay 13

Description

Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDapache/ofbiz12.04 — 12.04.06+1

Patches

Patch: ofbiz.apache.org ↗Patch: blogs.apache.org ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-39hj-fwhh-gc6w: Apache OFBiz 12↗2022-05-13

▶

CVEList

CVE-2016-2170: Apache OFBiz 12↗2016-04-12

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2016-2170↗

▶