Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-29200

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
9.8CRITICAL
EPSS
92.5%
top 0.27%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache OfbizApache Ofbiz
Timeline
PublishedApr 27
Latest updateMay 24

Description

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/ofbiz< 17.12.07
CVEListV5apache_software_foundation/apache_ofbizApache OFBiz17.12.07

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-8x9g-q2j3-6cr3: Apache OFBiz has unsafe deserialization prior to 172022-05-24
CVEList
RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI2021-04-27

💥Exploits & PoCs

1
Nuclei
Apache OFBiz < 17.12.07 - Arbitrary Code Execution

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2021-29200
CVE-2021-29200 (CRITICAL CVSS 9.8) | Apache OFBiz has unsafe deserializa | cvebase.io