CVE-2019-0189

Published: Sep 11, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16

Affected (1)

Products: Apache: Ofbiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ofbiz	From 16.11.01 to 16.11.06

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (26)

https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E

Source: security@apache.org

https://s.apache.org/hsn2g

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://s.apache.org/hsn2g

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.