CVE-2021-25958

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-25958

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25958.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-25958

Published

2021-08-30T14:15:07Z

Modified

2025-10-15T12:44:29.224738Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type: GIT
Repo: https://github.com/apache/ofbiz-framework
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2f5b8d33e32c4d9a48243cf9e503236acd5aec5c

Affected versions

release17.*

release17.12.01

release17.12.03

release17.12.05

release17.12.06

release17.12.07

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2021-25958-68c2aada",
        "digest": {
            "function_hash": "144741747658494383120476548327941776878",
            "length": 9902.0
        },
        "target": {
            "function": "userLogin",
            "file": "framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java"
        }
    },
    {
        "source": "https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2021-25958-878807ce",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "32606632593640065468248210987821879733",
                "200531111477409553662999894105605923374",
                "289972015497303555041083521210063810923",
                "109116416936946298742679716383752612640",
                "81953033587050882691275832451472073088",
                "267617210043281553941494801289174868686",
                "34404009237307586345414036235181602538",
                "149820428946309151202528442026414149188",
                "159870138285328821481411082755674453957",
                "138358119217820591267769456432040003640",
                "187105862044598432451416096314680360342",
                "296823163663119527232475368969174385688",
                "177236513552390191257737232870915070621",
                "339660004404640386518045384322311395283",
                "199462711897053384151894667093735741136",
                "73522910456790200690367155376074993387"
            ]
        },
        "target": {
            "file": "framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java"
        }
    }
]