Lucene search

MendCVELIST:CVE-2021-25958

HistoryAug 23, 2021 - 12:00 a.m.

CVE-2021-25958 Generation of Error Message Containing Sensitive Information in Apache OFBiz

2021-08-2300:00:00

CWE-209

Mend

www.cve.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.002 Low

EPSS

Percentile

53.2%

JSON

In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

CNA Affected

[
  {
    "product": "ofbiz-framework",
    "vendor": "apache",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "v17.12.01",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v17.12.07",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.002 Low

EPSS

Percentile

53.2%

JSON

Related for CVELIST:CVE-2021-25958