CVE-2016-2170

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 12-04-2016 04:59

Last modified: - 25-05-2022 10:39

Total changes: - 8

Description

Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

9.8

Base score

3.9

5.9

Exploitability score

Impact score

Verification logic

vendor=apache AND product=ofbiz AND versionStartIncluding=12.04 AND versionEndExcluding=12.04.06

vendor=apache AND product=ofbiz AND versionStartIncluding=13.07 AND versionEndExcluding=13.07.03

Reference

http://packetstormsecurity.com/files/136639/Apache-OFBiz-13.07.02-13.07.01-Information-Disclosure.html
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_12_04
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_13_07
https://cwiki.apache.org/confluence/display/OFBIZ/The+infamous+Java+serialization+vulnerability
http://ofbiz.apache.org/download.html#vulnerabilities
https://issues.apache.org/jira/browse/OFBIZ-6726
1035513-Third Party Advisory, VDB Entry
20160408 CVE-2016-2170: Apache OFBiz information disclosure vulnerability-Third Party Advisory, VDB Entry
[ofbiz-dev] 20210325 Comment out the SOAP and HTTP engines?-Mailing List, Vendor Advisory
[ofbiz-dev] 20210325 Re: Comment out the SOAP and HTTP engines?-Mailing List, Vendor Advisory
[ofbiz-dev] 20210329 Re: Comment out the SOAP and HTTP engines?-Mailing List, Vendor Advisory
[ofbiz-notifications] 20210329 [jira] [Commented] (OFBIZ-6942) Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170]-Mailing List, Vendor Advisory
[ofbiz-notifications] 20210329 [jira] [Commented] (OFBIZ-12167) Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)-Mailing List, Vendor Advisory
[ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]-Mailing List, Vendor Advisory
[ofbiz-notifications] 20210605 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]-Issue Tracking, Mailing List, Vendor Advisory
[ofbiz-notifications] 20210729 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128]-Issue Tracking, Mailing List, Vendor Advisory

Keywords

CVE-2016-2170

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2016-2170

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures