CVE-2021-25958

Published: Aug 30, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

Affected (1)

Products: Apache: Ofbiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ofbiz	From 17.12.01 to 17.12.08

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (4)

https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958

Source: vulnerabilitylab@mend.io

Third Party Advisory

https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.