CVE-2021-25958

Generation of Error Message Containing Sensitive Information in Apache OFBiz

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (2)

NVD, NVD

CWE (1)

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC (-)

Risk

CVSS Score

7.5 High

SSVC

KEV

EPSS

0.2%

Affected Products (-)

Vendors (1)

apache

Products (1)

ofbiz

Versions (1)

>= 17.12.01 < 17.12.08

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (2)

General (1)

whitesourcesoftware

Exploits & POcs (-)

Patches (1)

github

Advisories (-)

Summary

Descriptions

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

En Apache Ofbiz, las versiones v17.12.01 a v17.12.07, implementan una excepción try catch para manejar errores en múltiples ubicaciones, pero filtran información confidencial de la tabla que puede ayudar al atacante para su posterior reconocimiento. Un usuario puede registrarse con una contraseña muy larga, pero cuando intenta iniciar sesión con ella es producida una excepción.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-22 CVE Reserved
2021-08-30 CVE Published
2024-09-16 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (2)

URL	Tag	Source
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c	2021-09-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ofbiz Search vendor "Apache" for product "Ofbiz"				>= 17.12.01 < 17.12.08 Search vendor "Apache" for product "Ofbiz" and version " >= 17.12.01 < 17.12.08"		-		Affected

CVE-2021-25958

Generation of Error Message Containing Sensitive Information in Apache OFBiz

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (2)

Affected Vendors, Products, and Versions