Vulnerability in Apache Software Foundation Ofbiz
CVE-2021-29200
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
EPSS: 0.925 (99.7th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Ofbiz — versions Apache OFBiz
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7b… (x_refsource_MISC)
- [oss-security] 20210427 [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12216) Fixed UtilObject class [CVE-2021-29200] (mailing-list, x_refsource_MLIST)
- [ofbiz-user] 20210427 [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07 (mailing-list, x_refsource_MLIST)
- [announce] 20210427 [CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20210811 [ofbiz-site] branch master updated: Updates security page for CVE-2021-37608 fixed in 17.12.08 (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-29200?
- CVE-2021-29200 is a vulnerability in Apache Software Foundation Ofbiz. Published 2021-04-27.
- Is CVE-2021-29200 known to be exploited?
- 17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.