Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEvdU_1YsVy-7xZNn-uHDjzsbsUHvQNL-8ue5Dzb2q1kaF1UdA@mail.gmail.com>
Date: Tue, 10 Sep 2019 15:29:27 -0700
From: Jacopo Cappellato <jacopoc@...che.org>
To: "user@...iz.apache.org ML" <user@...iz.apache.org>, Dev list <dev@...iz.apache.org>, announce@...che.org, 
	security@...iz.apache.org, oss-security@...ts.openwall.com, 
	heinenn@...gle.com
Subject: [CVE-2019-10074] Apache OFBiz RCE (template injection)

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.05

An RCE is possible by entering Freemarker markup in an OFBiz Form Widget
textarea field when encoding has been disabled on such a field.  This was
the case for the Customer Request "story" input in the Order Manager
application.  Encoding should not be disabled without good reason and never
within a field that accepts user input.


Mitigation:
Upgrade to 16.11.06
or manually apply the following commit on branch 16.11:
r1858533
----

Credit:
Niels Heinen of the Google security team <heinenn@...gle.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.