CVE-2021-25958Information Exposure via Error Message in Apache Ofbiz-framework

CWE-209Information Exposure via Error Message3 documents3 sources
Severity
7.5HIGHNVD
CNA6.5
EPSS
2.0%
top 16.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Ofbiz-frameworkApache Ofbiz
Timeline
PublishedAug 30
Latest updateMay 24

Description

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/ofbiz17.12.0117.12.08
CVEListV5apache/ofbiz-frameworkv17.12.01unspecified+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-4xjx-qw73-2v8v: In Apache Ofbiz, versions v172022-05-24
CVEList
Generation of Error Message Containing Sensitive Information in Apache OFBiz2021-08-30
CVE-2021-25958 — Information Exposure via Error Message | cvebase