CVE-2021-26295

CVE Database · CVE-2021-26295

CVE-2021-26295

· CRITICALModified

CVSS v3.1

9.8

EPSS

97.97%

Published

Mar 22, 2021

Modified

Nov 21, 2024

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (1)

apache · ofbiz (up to 17.12.06)vulnerable

References (20)

http://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html

ExploitThird Party AdvisoryVDB Entry

https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E

Mailing ListPatchVendor Advisory

https://lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3E

KEV Catalog EPSS Scores Vendors All CVEs