CVE-2022-29158
Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
Apache OFBiz versiones hasta 18.12.05, es vulnerable a la Denegación de Servicio por Expresión Regular (ReDoS) en la forma en que maneja las URLs proporcionadas por usuarios externos no autenticados. Actualice a versión 18.12.06 o aplique los parches en https://issues.apache.org/jira/browse/OFBIZ-12599
*Credits:
Tony Torralba and Joseph Farebrother from the GitHub CodeQL team.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-04-13 CVE Reserved
- 2022-09-02 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.openwall.com/lists/oss-security/2022/09/02/5 | 2023-07-21 | |
https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928 | 2023-07-21 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | < 18.12.06 Search vendor "Apache" for product "Ofbiz" and version " < 18.12.06" | - |
Affected
|