Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-26295

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
9.8CRITICAL
EPSS
94.2%
top 0.07%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache OfbizApache Software Foundation Apache Ofbiz
Timeline
PublishedMar 22
Latest updateMay 24

Description

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/ofbiz< 17.12.06
CVEListV5apache_software_foundation/apache_ofbizApache OFBiz 17.12.01 to 17.12.05

Patches

Patch: lists.apache.orgPatch: lists.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-hp7h-f9pw-x5wj: Apache OFBiz has unsafe deserialization prior to 172022-05-24
CVEList
RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI2021-03-22
VulnCheck
Apache OFBiz Deserialization of Untrusted Data2021

💥Exploits & PoCs

1
Nuclei
Apache OFBiz <17.12.06 - Arbitrary Code Execution

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2021-26295
CVE-2021-26295 (CRITICAL CVSS 9.8) | Apache OFBiz has unsafe deserializa | cvebase.io