CVE-2018-17200 — Apache Ofbiz vulnerability

4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

2.0%

top 16.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz

Timeline

PublishedSep 11

Latest updateMay 24

Description

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz16.11.01 — 16.11.05

▶CVEListV5apache/ofbizOFBiz 16.11.01 to 16.11.05

🔴Vulnerability Details

GHSA

GHSA-rv9j-p5m2-3523: The Apache OFBiz HTTP engine (org↗2022-05-24

▶

CVEList

CVE-2018-17200: The Apache OFBiz HTTP engine (org↗2019-09-11

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2018-17200↗

▶