CVE-2021-29200

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-29200

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29200.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-29200

Published

2021-04-27T20:15:08Z

Modified

2025-09-19T12:46:34.082788Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type: GIT
Repo: https://github.com/apache/ofbiz-framework
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

717bd4ba43807ee20eafbe1d44b048b3d4f7b20c

Affected versions

release17.*

release17.12.01

release17.12.03

release17.12.05

release17.12.06

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "110015357393237510422024547574110445891",
                    "103759469619733990389107269988253683292",
                    "53310710791051227402110386129181641124",
                    "338375898274596716495337317305322336620",
                    "252025656421102958553176540317162580723",
                    "326270266377966770245133828702753501876",
                    "217016609819802681141859637634855935287",
                    "156772864617605705593393775214733732284",
                    "142748572956406197153890146424230660178",
                    "242918629267813835003175391117285889672",
                    "275436613290359802416043000553657283867",
                    "327848660510616831988587361445399539602",
                    "304625182092133006104264998509195074719",
                    "226487228024108790944300977603416434887",
                    "298719494205625718619385142369913695954",
                    "189928426396389557405566135383339705472",
                    "85445592557782425591869575799430982868",
                    "331630501652662490500311835116269740470",
                    "206233465455324272214085228383807030490",
                    "93492048358034791674208089889632386451",
                    "88976781864824335147783806406434465949",
                    "144821322174533928607795755636700290308",
                    "106151073967580855851351509449120792913",
                    "115048922722834692105810608253650446279",
                    "284266970324443606099003225672678301584",
                    "240763838389343635670668203169045824818"
                ]
            },
            "id": "CVE-2021-29200-5d11b77b",
            "source": "https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "325160111052579006851973960307013263862",
                "length": 2640.0
            },
            "id": "CVE-2021-29200-94ab6085",
            "source": "https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java",
                "function": "isValidFile"
            },
            "deprecated": false
        }
    ]
}