[CVE-2019-10074] Apache OFBiz RCE (template injection)

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2019-10074] Apache OFBiz RCE (template injection)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Jacopo Cappellato &lt;jacopoc () apache org&gt;

Date: Tue, 10 Sep 2019 15:29:27 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.05

An RCE is possible by entering Freemarker markup in an OFBiz Form Widget
textarea field when encoding has been disabled on such a field.  This was
the case for the Customer Request "story" input in the Order Manager
application.  Encoding should not be disabled without good reason and never
within a field that accepts user input.

Mitigation:
Upgrade to 16.11.06
or manually apply the following commit on branch 16.11:
r1858533
----

Credit:
Niels Heinen of the Google security team &lt;heinenn () google com&gt;

References:
http://ofbiz.apache.org/download.html#vulnerabilities

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2019-10074] Apache OFBiz RCE (template injection) Jacopo Cappellato (Sep 10)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->