Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
Fixes

Solution

No solution given by the vendor.


Workaround

Upgrade to at least 17.12.06 or apply the patch at https://github.com/apache/ofbiz-framework/commit/af9ed4e/

References
Link Providers
http://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html cve-icon cve-icon
https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc9bd0d3d794dc370bc70585960841868cb29b92dcc80552b84ca2599%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rec5e9fdcdca13099cfb29f632333f44ad1dd60d90f67b90434e4467a%40%3Cdev.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/reccf8c8a58337ce7c035495d3d82fbc549e97036a9789a2a7d9cccf6%40%3Cdev.ofbiz.apache.org%3E cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-02-13T16:27:51.958Z

Reserved: 2021-01-28T00:00:00.000Z

Link: CVE-2021-26295

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-03-22T12:15:13.877

Modified: 2024-11-21T05:56:02.423

Link: CVE-2021-26295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.