CVE-2021-25958

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-25958

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25958.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-25958

Published

2021-08-30T14:15:07Z

Modified

2025-09-19T12:42:45.758226Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type: GIT
Repo: https://github.com/apache/ofbiz-framework
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2f5b8d33e32c4d9a48243cf9e503236acd5aec5c

Affected versions

release17.*

release17.12.01

release17.12.03

release17.12.05

release17.12.06

release17.12.07

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "144741747658494383120476548327941776878",
                "length": 9902.0
            },
            "id": "CVE-2021-25958-68c2aada",
            "source": "https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c",
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java",
                "function": "userLogin"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "32606632593640065468248210987821879733",
                    "200531111477409553662999894105605923374",
                    "289972015497303555041083521210063810923",
                    "109116416936946298742679716383752612640",
                    "81953033587050882691275832451472073088",
                    "267617210043281553941494801289174868686",
                    "34404009237307586345414036235181602538",
                    "149820428946309151202528442026414149188",
                    "159870138285328821481411082755674453957",
                    "138358119217820591267769456432040003640",
                    "187105862044598432451416096314680360342",
                    "296823163663119527232475368969174385688",
                    "177236513552390191257737232870915070621",
                    "339660004404640386518045384322311395283",
                    "199462711897053384151894667093735741136",
                    "73522910456790200690367155376074993387"
                ]
            },
            "id": "CVE-2021-25958-878807ce",
            "source": "https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c",
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java"
            },
            "deprecated": false
        }
    ]
}