OFBiz OFBiz - User

[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
jacopoc
Reply | Threaded
Open this post in threaded view
|

[CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

jacopoc
CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grégory Draperi ([hidden email]).

References:

http://ofbiz.apache.org/download.html#vulnerabilities

signature.asc (858 bytes) Download Attachment
Scott Gray-2
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2013-2250] Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz

Scott Gray-2
I just want to bump this on the lists since that Douglas Cook idiot was causing a distraction.

It's very important that everyone with the OFBiz versions mentioned below (and trunk checkouts prior to r1500772) either upgrade or patch their installations as soon as possible.  I cannot stress this enough, do it now.

Regards
Scott

On 21/07/2013, at 4:03 AM, Jacopo Cappellato wrote:

> CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users to execute arbitrary UEL functions in OFBiz
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache OFBiz 10.04.01 to 10.04.05
> Apache OFBiz 11.04.01 to 11.04.02
> Apache OFBiz 12.04.01
>
> Description:
>
> Parameter values are not correctly validated and if JUEL metacharacters are included they are interpreted.
>
> Mitigation:
> 10.04.x users should upgrade to 10.04.06
> 11.04.x users should upgrade to 11.04.03
> 12.04.01 users should upgrade to 12.04.02
>
> Credit:
> This issue was discovered by Grégory Draperi ([hidden email]).
>
> References:
>
> http://ofbiz.apache.org/download.html#vulnerabilities
Free forum by Nabble Edit this page