Description

Webtools XMLRPC endpoint of Apache OFBiz uses unsafe java deserialization and it's vulnerable to deserialization attacks. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform a denial of service attack.

Remediation

Upgrade to the latest version of Apache OFBiz

References

Remove deprecated Apache XML-RPC related code (CVE-2023-49070)

Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496

Release Notes 17.12.04

Related Vulnerabilities

PHP version older than 5.2.1

WordPress Plugin Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Remote Code Execution (1.5.89)

WordPress Plugin PHP Everywhere Multiple Remote Code Execution Vulnerabilities (2.0.3)

Security update: Hotfix available for ColdFusion

VMware Horizon Log4Shell RCE

Severity

High

Classification

CVE-2020-9496 CVE-2023-49070 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Acumonitor Insecure Deserialization Code Execution Denial Of Service