CVE-2021-37608

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://ofbiz.apache.org/security.html", "name": "https://ofbiz.apache.org/security.html", "tags": ["Patch", "Product", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/r8d824c1491f552da820ef181b7b2d0541410b3a8748b7906265bbb03@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210827 [jira] [Updated] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rca5b167748f0d04816747d68c4ceb7afff9b7b7556211793847d3382@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210827 [jira] [Created] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/re438aa1054c22eb65f2a047c337259e3b421a30b4ef11afb28c36b93@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210902 [jira] [Assigned] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r164c91c47d638869c38e41b3ce501ecaa71f385939f098b2e04df049@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210903 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rae6c5ec2c5fc00cbc75612ab6d94a8cc0d02603228cab6316f2b858e@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5899ec8324d961863e162b75679309ba4ebe9dbd79cd28edbaafcdca@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r23d04e9c477c3547f6cc87f11626899617927053bbac15b72645ac7b@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210903 [ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r21f76ccb0fca2e2b236328d91b9d4b760352fae6293d5275f1c25a3a@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210903 [jira] [Closed] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rdfab8e1df42888416e2705acc86b32e1ea0a03a131ed3ea4ff38f4af@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210904 [jira] [Comment Edited] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rc40120f33e38f51fc1036c6572094d44cb19d73aa8d40142165ed92d@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210904 [jira] [Updated] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5b7e87f970d678f819263b35b7179f0d979f5c0f716d789aec6536f9@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch trunk updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rfd639ca63c8a80534b65623d9c6068859d17e2dfaaeb00a24e9fec9c@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20210917 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/radf6d421ec20c9e6d738155d380514f9ba1c9386c5500bda2c9429aa@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch release17.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rb4024165b7ef0428761aa0c334d44bf8bd05b533310589ee30e3b6e1@%3Ccommits.ofbiz.apache.org%3E", "name": "[ofbiz-commits] 20210917 [ofbiz-framework] branch release18.12 updated: Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307)", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rd7d60e3276b8a9a106a6b057d3976fe123beff6c47c17ba5b3090140@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211014 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/ra582196fe06566ac4dbd896223f58c379cdb38088df95def41517422@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211014 [jira] [Comment Edited] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r3f1046dccb61568ca8d871f4527f274b2a531e0865fbe2c9afbfecce@%3Cnotifications.ofbiz.apache.org%3E", "name": "[ofbiz-notifications] 20211015 [jira] [Commented] (OFBIZ-12307) CVE-2021-37608 vulnerability bypass", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-434"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-37608", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2021-08-18T08:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "17.12.08"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-06T15:12Z"}