cnvd - cnvd-2023-03921

cnvd-2023-03921

Vulnerability from cnvd

Title: Apache OFBiz存在未明漏洞（CNVD-2023-03921）

Description:

Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。

Apache OFBiz 18.12.05 及之前版本存在安全漏洞，攻击者可利用该漏洞进行正则表达式拒绝服务攻击。

Severity: 高

Patch Name: Apache OFBiz存在未明漏洞（CNVD-2023-03921）的补丁

Patch Description:

Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。

Apache OFBiz 18.12.05 及之前版本存在安全漏洞，攻击者可利用该漏洞进行正则表达式拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-29158

Impacted products

Name
Apache OFBiz <=18.12.05

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-29158"
    }
  },
  "description": "Apache OFBiz\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u4e86\u4e00\u6574\u5957\u57fa\u4e8eJava\u7684Web\u5e94\u7528\u7a0b\u5e8f\u7ec4\u4ef6\u548c\u5de5\u5177\u3002\n\nApache OFBiz 18.12.05 \u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u6b63\u5219\u8868\u8fbe\u5f0f\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-03921",
  "openTime": "2023-01-18",
  "patchDescription": "Apache OFBiz\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u4e86\u4e00\u6574\u5957\u57fa\u4e8eJava\u7684Web\u5e94\u7528\u7a0b\u5e8f\u7ec4\u4ef6\u548c\u5de5\u5177\u3002\r\n\r\nApache OFBiz 18.12.05 \u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u6b63\u5219\u8868\u8fbe\u5f0f\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache OFBiz\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2023-03921\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache OFBiz \u003c=18.12.05"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-29158",
  "serverity": "\u9ad8",
  "submitTime": "2022-09-02",
  "title": "Apache OFBiz\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2023-03921\uff09"
}

CVE-2022-29158 (GCVE-0-2022-29158)

Vulnerability from cvelistv5

Published

2022-09-02 07:10

Modified

2024-08-03 06:10

Severity ?

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Summary

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

References

▼	URL	Tags
	https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/09/02/5	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache OFBiz	Version: Apache OFBiz <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:10:59.432Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
          },
          {
            "name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache OFBiz",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "18.12.05",
              "status": "affected",
              "version": "Apache OFBiz",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tony Torralba and Joseph Farebrother from the GitHub CodeQL team."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-02T11:06:12",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
        },
        {
          "name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-29158",
          "STATE": "PUBLIC",
          "TITLE": "Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache OFBiz",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache OFBiz",
                            "version_value": "18.12.05"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Tony Torralba and Joseph Farebrother from the GitHub CodeQL team."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1333: Inefficient Regular Expression Complexity"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
            },
            {
              "name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-29158",
    "datePublished": "2022-09-02T07:10:20",
    "dateReserved": "2022-04-13T00:00:00",
    "dateUpdated": "2024-08-03T06:10:59.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted