9.8

CVE-2016-2170

Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheOfbiz Version >= 12.04 < 12.04.06
ApacheOfbiz Version >= 13.07 < 13.07.03
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 12.68% 0.957
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://ofbiz.apache.org/download.html#vulnerabilities
Patch
Vendor Advisory
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_12_04
Patch
Vendor Advisory
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_13_07
Vendor Advisory
http://packetstormsecurity.com/files/136639/Apache-OFBiz-13.07.02-13.07.01-Information-Disclosure.html
Third Party Advisory
VDB Entry
http://www.securityfocus.com/archive/1/538034/100/0/threaded
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1035513
Third Party Advisory
VDB Entry
https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialization+vulnerability
Vendor Advisory
https://issues.apache.org/jira/browse/OFBIZ-6726
Patch
Vendor Advisory
https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rc9bd0d3d794dc370bc70585960841868cb29b92dcc80552b84ca2599%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/rec5e9fdcdca13099cfb29f632333f44ad1dd60d90f67b90434e4467a%40%3Cdev.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/reccf8c8a58337ce7c035495d3d82fbc549e97036a9789a2a7d9cccf6%40%3Cdev.ofbiz.apache.org%3E