CVE-2021-29200

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-29200

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29200.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-29200

Published

2021-04-27T20:15:08Z

Modified

2025-10-15T12:47:53.865365Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

References

Affected packages

Git / github.com/apache/ofbiz-framework

Affected ranges

Type: GIT
Repo: https://github.com/apache/ofbiz-framework
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

717bd4ba43807ee20eafbe1d44b048b3d4f7b20c

Affected versions

release17.*

release17.12.01

release17.12.03

release17.12.05

release17.12.06

Database specific

vanir_signatures

[
    {
        "id": "CVE-2021-29200-5d11b77b",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java"
        },
        "digest": {
            "line_hashes": [
                "110015357393237510422024547574110445891",
                "103759469619733990389107269988253683292",
                "53310710791051227402110386129181641124",
                "338375898274596716495337317305322336620",
                "252025656421102958553176540317162580723",
                "326270266377966770245133828702753501876",
                "217016609819802681141859637634855935287",
                "156772864617605705593393775214733732284",
                "142748572956406197153890146424230660178",
                "242918629267813835003175391117285889672",
                "275436613290359802416043000553657283867",
                "327848660510616831988587361445399539602",
                "304625182092133006104264998509195074719",
                "226487228024108790944300977603416434887",
                "298719494205625718619385142369913695954",
                "189928426396389557405566135383339705472",
                "85445592557782425591869575799430982868",
                "331630501652662490500311835116269740470",
                "206233465455324272214085228383807030490",
                "93492048358034791674208089889632386451",
                "88976781864824335147783806406434465949",
                "144821322174533928607795755636700290308",
                "106151073967580855851351509449120792913",
                "115048922722834692105810608253650446279",
                "284266970324443606099003225672678301584",
                "240763838389343635670668203169045824818"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c"
    },
    {
        "id": "CVE-2021-29200-94ab6085",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java",
            "function": "isValidFile"
        },
        "digest": {
            "function_hash": "325160111052579006851973960307013263862",
            "length": 2640.0
        },
        "source": "https://github.com/apache/ofbiz-framework/commit/717bd4ba43807ee20eafbe1d44b048b3d4f7b20c"
    }
]