CVE-2021-30128

Description

Apache OFBiz has unsafe deserialization prior to 17.12.07 version

Related CPE's

aapacheofbiz********
vulnerable

References

https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E

Mailing ListMitigationVendor Advisory

[ofbiz-dev] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz

Mailing ListMitigationVendor Advisory

[ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]

Mailing ListVendor Advisory

[ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12221) Fixed ObjectInputStream denyList [CVE-2021-30128]

Mailing ListVendor Advisory

[ofbiz-user] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz

Mailing ListMitigationVendor Advisory

[oss-security] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz

Mailing ListPatchThird Party Advisory

[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07

Mailing ListPatchVendor Advisory

[announce] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz

Mailing ListMitigationVendor Advisory

CvssV3 impact

BaseSeverity

CRITICAL

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

9.8

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

COMPLETE

AvailabilityImpact

COMPLETE

IntegrityImpact

COMPLETE

BaseScore

10

VectorString

AV:N/AC:L/Au:N/C:C/I:C/A:C

Version

2.0

AccessVector

NETWORK

Authentication

NONE