CVE-2022-29158 — Regex Denial of Service in Apache Ofbiz

CWE-1333 — Regex Denial of Service4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.5%

top 18.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz Apache Software Foundation Apache Ofbiz

Timeline

PublishedSep 2

Latest updateSep 3

Description

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/ofbiz< 18.12.06

▶CVEListV5apache_software_foundation/apache_ofbizApache OFBiz — 18.12.05

Patches

Patch: www.openwall.com ↗Patch: lists.apache.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-7hxq-2vp3-4xmj: Apache OFBiz up to version 18↗2022-09-03

▶

CVEList

Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz↗2022-09-02

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2022-29158↗

▶