Description

Apache OFBiz versions prior to 17.12.06 are vulnerable to a Java deserialization vulnerability that affects the unauthenticated SOAP endpoint /webtools/control/SOAPService. This vulnerability allows an attacker to execute arbitrary code on the affected system.

Remediation

Upgrade to the latest version of Apache OFBiz. This issue was fixed in version 17.12.06.

References

CVE-2021-26295

CVE-2021-26295 fix thread

Apache OFBiz

Related Vulnerabilities

F5 BIG-IP Traffic Management User Interface (TMUI) RCE

Text4shell: Apache Commons Text RCE via insecure interpolation

Kramer VIAware RCE (CVE-2021-36356/CVE-2021-35064)

Data Binding Expression Vulnerability in Spring Web Flow

WordPress Plugin Secure File Manager Remote Code Execution (2.8.1)

Severity

High

Classification

CVE-2021-26295 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor Insecure Deserialization