CVE-2019-0189 — Deserialization of Untrusted Data in Apache Ofbiz

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

19.5%

top 4.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz

Timeline

PublishedSep 11

Latest updateMay 24

Description

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz16.11.01 — 16.11.06

▶CVEListV5apache/ofbizOFBiz 16.11.01 to 16.11.05

🔴Vulnerability Details

GHSA

GHSA-7f6q-4x5x-p74v: The java↗2022-05-24

▶

CVEList

CVE-2019-0189: The java↗2019-09-11

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2019-0189↗

▶