A vulnerability has been found in Apache OFBiz up to 16.11.05 and classified as critical. This vulnerability affects an unknown functionality of the file /webtools/control/httpService of the component HTTP Service. The manipulation of the argument serviceContent as part of a Parameter leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019

The weakness was released 09/11/2019 (Website). The advisory is available at s.apache.org. This vulnerability was named CVE-2018-17200 since 09/19/2018. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit.

Upgrading to version 16.11.06 eliminates this vulnerability.

Entries connected to this vulnerability are available at 141649, 141648 and 141647.

Productinfo

Vendor

• Apache

Name

• OFBiz

Version

• 16.11.05

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion