{"containers": {"cna": {"affected": [{"product": "OFBiz", "vendor": "Apache", "versions": [{"status": "affected", "version": "OFBiz 16.11.01 to 16.11.05"}]}], "descriptions": [{"lang": "en", "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"}], "problemTypes": [{"descriptions": [{"description": "remote code execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-02T12:06:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://s.apache.org/hsn2g"}, {"name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 & CVE-2019-12425", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-0189", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OFBiz", "version": {"version_data": [{"version_value": "OFBiz 16.11.01 to 16.11.05"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote code execution"}]}]}, "references": {"reference_data": [{"name": "[ofbiz-dev] 20190910 [CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java", "refsource": "MLIST", "url": "https://s.apache.org/hsn2g"}, {"name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8@%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-10770) Update Apache commons-fileupload to last version (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f@%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200206 svn commit: r1873710 - in /ofbiz/site: security.html template/page/security.tpl.php", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200224 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69@%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch trunk updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release17.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200224 [ofbiz-framework] branch release18.12 updated: Fixed: Improve ObjectInputStream class (CVE-2019-0189) Improved: no functional change (OFBIZ-10837) (OFBIZ-11398)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200224 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd@%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e@%3Cnotifications.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-commits] 20200430 [ofbiz-site] branch master updated: Update for 2 last CVEs: CVE-2019-0235 & CVE-2019-12425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f@%3Ccommits.ofbiz.apache.org%3E"}, {"name": "[ofbiz-notifications] 20200502 [jira] [Commented] (OFBIZ-10837) Improve ObjectInputStream class (CVE-2019-0189)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7@%3Cnotifications.ofbiz.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0189", "datePublished": "2019-09-11T20:29:24", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2020-05-02T12:06:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DC9625E-4C35-47F3-A374-CA1DC47BADA0", "versionEndExcluding": "16.11.06", "versionStartIncluding": "16.11.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the \"webtools/control/httpService\" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter \"serviceContext\" is passed to the \"deserialize\" method of \"XmlSerializer\". Apache Ofbiz is affected via two different dependencies: \"commons-beanutils\" and an out-dated version of \"commons-fileupload\" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16"}, {"lang": "es", "value": "Es conocido que java.io.ObjectInputStream causa problemas de serializaci\u00f3n del Java. Este problema aqu\u00ed est\u00e1 expuesto por la URL \"webtools/control/httpService\" y usa la deserializaci\u00f3n de Java para llevar a cabo la ejecuci\u00f3n del c\u00f3digo. En HttpEngine, el valor del par\u00e1metro request \"serviceContext\" es pasado al m\u00e9todo \"deserialize\" de \"XmlSerializer\". Apache Ofbiz est\u00e1 afectado por dos dependencias diferentes: \"commons-beanutils\" y una versi\u00f3n obsoleta de \"commons-fileupload\", Mitigaci\u00f3n: Actualice a la versi\u00f3n 16.11.06 o aplique manualmente las confirmaciones de OFBIZ-10770 y OFBIZ-10837 en la derivaci\u00f3n 16"}], "id": "CVE-2019-0189", "lastModified": "2023-11-07T03:01:47.110", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-11T21:15:10.953", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b584000900a270a86587f979a55f9%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rb0e716837168dc1073fcd76bea644806e5337c247fdb5d8c243d41f8%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rc0a839fe38d3de775f62e39d45af91870950b59688b64ab61ecc080e%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/re4623c0fec904882cbbf8cda558f88c1857397fb5c35761bc12a78bd%40%3Cnotifications.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/ref1b535d7bd5423bfb456cd05aa41e52875390cdfc6ae7c50397ead6%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://s.apache.org/hsn2g"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}