vulnerability
Apache OFBiz: CVE-2018-17200: Other vulnerability.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Sep 11, 2019 | Dec 23, 2024 | Nov 28, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Sep 11, 2019
Added
Dec 23, 2024
Modified
Nov 28, 2025
Description
The apache ofbiz http engine (org.apache.ofbiz.service.engine.httpengine.java) handles requests for http services via the /webtools/control/httpservice endpoint. this service takes the `servicecontent` parameter in the request and deserializes it using xstream. this `xstream` instance is slightly guarded by disabling the creation of `processbuilder`. however, this can be easily bypassed (and in multiple ways). mitigation: upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019
Solution
apache-ofbiz-upgrade-latest
References
- CVE-2018-17200
- https://attackerkb.com/topics/CVE-2018-17200
- URL-https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E
- URL-https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E
- URL-https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E
- URL-https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E
- URL-https://s.apache.org/m9boi
- URL-https://svn.apache.org/viewvc?view=revision&revision=1850017
- URL-https://svn.apache.org/viewvc?view=revision&revision=1850019
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.