CVE-2022-29063

Published: Sep 2, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.

Affected (1)

Products: Apache: Ofbiz

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Ofbiz	Before 18.12.06

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

http://www.openwall.com/lists/oss-security/2022/09/02/6

Source: security@apache.org

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/ytzrjc16pf357zntwk8tjby13kbx9105

Source: security@apache.org

Mailing ListPatchVendor Advisory

http://www.openwall.com/lists/oss-security/2022/09/02/6

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/ytzrjc16pf357zntwk8tjby13kbx9105

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchVendor Advisory

Timeline

No history available yet.