CVE-2021-29200

RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (2)

NVD, NVD

CWE (1)

CWE-502: Deserialization of Untrusted Data

CAPEC (-)

Risk

CVSS Score

9.8 Critical

SSVC

KEV

EPSS

91.6%

Affected Products (-)

Vendors (1)

apache

Products (1)

ofbiz

Versions (1)

< 17.12.07

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (8)

General (5)

apache

Exploits & POcs (1)

github

Patches (1)

openwall

Advisories (1)

apache

Summary

Descriptions

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

Apache OFBiz, presenta deserialización no segura anteriores a versión 17.12.07. Un usuario no autenticado puede llevar a cabo un ataque RCE

*Credits: Apache OFBiz would like to thank the first report from "r00t4dm at Cloud-Penetrating Arrow Lab, asd of MoyunSec V-Lab <root@thiscode.cc> and 赖涵 <1044309102@qq.com> a bit later

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-25 CVE Reserved
2021-04-27 CVE Published
2021-05-11 First Exploit
2024-08-03 CVE Updated
2025-01-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (8)

URL	Tag	Source
https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cuser.ofbiz.apache.org%3E	Mailing List

URL	Date	SRC
https://github.com/freeide/CVE-2021-29200	2021-05-11

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/04/27/4	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cdev.ofbiz.apache.org%3E	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ofbiz Search vendor "Apache" for product "Ofbiz"				< 17.12.07 Search vendor "Apache" for product "Ofbiz" and version " < 17.12.07"		-		Affected

CVE-2021-29200

RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (8)

Affected Vendors, Products, and Versions