CVE-2021-37608

Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://ofbiz.apache.org/security.html	Patch Product Vendor Advisory
https://lists.apache.org/thread.html/r8d824c1491f552da820ef181b7b2d0541410b3a8748b7906265bbb03@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Patch Vendor Advisory
https://lists.apache.org/thread.html/rca5b167748f0d04816747d68c4ceb7afff9b7b7556211793847d3382@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/re438aa1054c22eb65f2a047c337259e3b421a30b4ef11afb28c36b93@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r164c91c47d638869c38e41b3ce501ecaa71f385939f098b2e04df049@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rae6c5ec2c5fc00cbc75612ab6d94a8cc0d02603228cab6316f2b858e@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r5899ec8324d961863e162b75679309ba4ebe9dbd79cd28edbaafcdca@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r23d04e9c477c3547f6cc87f11626899617927053bbac15b72645ac7b@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r21f76ccb0fca2e2b236328d91b9d4b760352fae6293d5275f1c25a3a@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rdfab8e1df42888416e2705acc86b32e1ea0a03a131ed3ea4ff38f4af@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc40120f33e38f51fc1036c6572094d44cb19d73aa8d40142165ed92d@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r5b7e87f970d678f819263b35b7179f0d979f5c0f716d789aec6536f9@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rfd639ca63c8a80534b65623d9c6068859d17e2dfaaeb00a24e9fec9c@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/radf6d421ec20c9e6d738155d380514f9ba1c9386c5500bda2c9429aa@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rb4024165b7ef0428761aa0c334d44bf8bd05b533310589ee30e3b6e1@%3Ccommits.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rd7d60e3276b8a9a106a6b057d3976fe123beff6c47c17ba5b3090140@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/ra582196fe06566ac4dbd896223f58c379cdb38088df95def41517422@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r3f1046dccb61568ca8d871f4527f274b2a531e0865fbe2c9afbfecce@%3Cnotifications.ofbiz.apache.org%3E	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Information

Published : 2021-08-18 01:15

Updated : 2022-04-06 08:12

NVD link : CVE-2021-37608

Mitre link : CVE-2021-37608

JSON object : View

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

Products Affected

apache

ofbiz

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://ofbiz.apache.org/security.html", "name": "https://ofbiz.apache.org/security.html", "tags": ["Patch", "Product", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/r8d824c1491f552da820ef181b7b2d0541410b3a8748b7906265bbb03@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210827 [jira] [Updated] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rca5b167748f0d04816747d68c4ceb7afff9b7b7556211793847d3382@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210827 [jira] [Created] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/re438aa1054c22eb65f2a047c337259e3b421a30b4ef11afb28c36b93@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210902 [jira] [Assigned] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r164c91c47d638869c38e41b3ce501ecaa71f385939f098b2e04df049@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210903 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rae6c5ec2c5fc00cbc75612ab6d94a8cc0d02603228cab6316f2b858e@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5899ec8324d961863e162b75679309ba4ebe9dbd79cd28edbaafcdca@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r23d04e9c477c3547f6cc87f11626899617927053bbac15b72645ac7b@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r21f76ccb0fca2e2b236328d91b9d4b760352fae6293d5275f1c25a3a@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210903 [jira] [Closed] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rdfab8e1df42888416e2705acc86b32e1ea0a03a131ed3ea4ff38f4af@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210904 [jira] [Comment Edited] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rc40120f33e38f51fc1036c6572094d44cb19d73aa8d40142165ed92d@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210904 [jira] [Updated] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5b7e87f970d678f819263b35b7179f0d979f5c0f716d789aec6536f9@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rfd639ca63c8a80534b65623d9c6068859d17e2dfaaeb00a24e9fec9c@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210917 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/radf6d421ec20c9e6d738155d380514f9ba1c9386c5500bda2c9429aa@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rb4024165b7ef0428761aa0c334d44bf8bd05b533310589ee30e3b6e1@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rd7d60e3276b8a9a106a6b057d3976fe123beff6c47c17ba5b3090140@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211014 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/ra582196fe06566ac4dbd896223f58c379cdb38088df95def41517422@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211014 [jira] [Comment Edited] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r3f1046dccb61568ca8d871f4527f274b2a531e0865fbe2c9afbfecce@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211015 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-434"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-37608", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2021-08-18T08:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "17.12.08"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-06T15:12Z"}

9.8 /10