Vulnerability in Apache Software Foundation Ofbiz
CVE-2021-30128
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
EPSS: 0.932 (99.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Ofbiz — versions Apache OFBiz
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d1… (x_refsource_MISC)
- [ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12221) Fixed ObjectInputStream denyList [CVE-2021-30128] (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20210427 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] (mailing-list, x_refsource_MLIST)
- [oss-security] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz (mailing-list, x_refsource_MLIST)
- [ofbiz-user] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07 (mailing-list, x_refsource_MLIST)
- [announce] 20210427 [CVE-2021-30128] Unsafe deserialization in OFBiz (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20210605 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20210729 [jira] [Updated] (OFBIZ-12212) Comment out the SOAP and HTTP engines - Fix [CVE-2021-30128] (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20210811 [ofbiz-site] branch master updated: Updates security page for CVE-2021-37608 fixed in 17.12.08 (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-30128?
- CVE-2021-30128 is a vulnerability in Apache Software Foundation Ofbiz. Published 2021-04-27.
- Is CVE-2021-30128 known to be exploited?
- 29 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.