Vulnerability Details : CVE-2021-29200
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
Products affected by CVE-2021-29200
- cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-29200
90.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-29200
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-29200
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-29200
-
https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
[ofbiz-site] branch master updated: Updates security page for CVE-2021-37608 fixed in 17.12.08 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097@%3Cdev.ofbiz.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d@%3Ccommits.ofbiz.apache.org%3E
[ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07 - Pony MailMailing List;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/04/27/4
oss-security - [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMIMailing List;Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-12216) Fixed UtilObject class [CVE-2021-29200] - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097@%3Cuser.ofbiz.apache.org%3E
[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097@%3Cannounce.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097%40%3Cdev.ofbiz.apache.org%3E
[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI - Pony MailMailing List;Vendor Advisory
Jump to