QwikSec

Security Database

CVE

CWE

Training

CVE-2018-17200

Published: Sep 11, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019

Vendor	Product	Versions
Apache	OFBiz	affected `OFBiz 16.11.01 to 16.11.05`

References

[ofbiz-dev] 20190910 [CVE-2018-17200] Apache OFBiz unauthenticated remote code execution vulnerability in HttpEngine

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php

mailing-list

x_refsource_MLIST

[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 & CVE-2019-12425

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.