Vulnerability Details CVE-2021-25958
In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.3%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.0
References
- https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958
- https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958
Products affected by CVE-2021-25958
-
cpe:2.3:a:apache:ofbiz:17.12.01
-
cpe:2.3:a:apache:ofbiz:17.12.03
-
cpe:2.3:a:apache:ofbiz:17.12.04
-
cpe:2.3:a:apache:ofbiz:17.12.05
-
cpe:2.3:a:apache:ofbiz:17.12.06
-
cpe:2.3:a:apache:ofbiz:17.12.07